For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_Larsen's avatar
David_Larsen
Icon for Employee rankEmployee
Oct 23, 2014

iRule Editor TLS support

We have been asked to block SSLv3 completely on the management interfaces of the F5 hardware. As soon as I do this the irule editor can no longer connect. Is there a way to make the iRule Editor use TLS instead of SSLv3?

 

Thanks, David

 

3 Replies

  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Nov 29, 2014

    I do not believe so. You could, however, proxy the connection using something like socat. In this case, you could run socat locally:

    $ socat openssl-listen:443,reuseaddr,cipher=ALL,cert=server.pem,verify=0,fork openssl-connect:192.168.1.214:443,cipher=ALL,verify=0

    There are a number of gotchas. Firstly, since you are running on Windows, you need a version of socat that works on windows, and is compiled with openssl support. I use cygwin and ensure that both socat and openssl are installed. A trickier problem relates to the local listening port. The iRule editor appears to use SSL only if the port you connect to is 443. Otherwise, it uses HTTP. However, when it uses HTTP, it appears to die if it gets an HTTP authentication challenge, which it naturally will. This means that you really cannot proxy with any local port except 443 :(. Of course, if you have something else listening locally on port 443, that'll be a problem.

    If all of this can work for you, you may wonder about generating a cert for the local "server" side of this proxy. You must generate a certificate, or you will get a cipher failure. To do this, you can:

    $ openssl genrsa -out server.key 1024
$ openssl req -new -key server.key -x509 -days 3650 -out server.crt
$ cat server.key server.crt > server.pem

    Depending on the environment, you may also need to:

    $ chmod 600 server.pem
  • Renato's avatar
    Renato
    Icon for Altostratus rankAltostratus
    Nov 05, 2015

    What worked for me is the stunnel with the following configuration:

    [local-open-port]
client = no
cert = stunnel.pem
accept = 127.0.0.1:443
connect = 127.0.0.1:9876

[redirect-to-bigip]
client = yes
accept = 127.0.0.1:9876
connect = ...:443

    Just change the ... to your BIG-IP device address. Once done you can configure the iRule Editor to connect to localhost on port 443. It works because stunnel will create two different connections (full proxy?), what will also permit two distinct SSL negotiations, one that will work for the iRule Editor and another for the BIG-IP device.