Forum Discussion

chungyu_16122's avatar
chungyu_16122
Icon for Altostratus rankAltostratus
Jun 12, 2012

iRule for Start TLS

Hi all, we are implementing the cisco UCS on our network and to speak with the Windows AD, the the servers are load balanced but the start TLS on port 389 is not working. I have found a sample start TLS irule for SMTP, but do not know how to make it work for ldap.

 

 

Has anyone had experience with this to date?

 

 

 

Thanks in advance.

 

 

 

Chung

 

 

 

when CLIENT_ACCEPTED {

 

set ehlo 0

 

SSL::disable

 

}

 

when SERVER_CONNECTED {

 

TCP::collect

 

}

 

when CLIENT_DATA {

 

set lcpayload [string tolower [TCP::payload]]

 

if { $lcpayload starts_with "ehlo" } {

 

set ehlo 1

 

serverside { TCP::collect }

 

TCP::release

 

TCP::collect

 

} elseif { $lcpayload starts_with "starttls" } {

 

TCP::respond "220 Ready to start TLS\r\n"

 

TCP::payload replace 0 [TCP::payload length] ""

 

TCP::release

 

SSL::enable

 

} else {

 

TCP::release

 

}

 

}

 

when SERVER_DATA {

 

if { $ehlo == 1 and not([string tolower [TCP::payload]] contains "starttls") } {

 

TCP::payload replace 0 0 "250-STARTTLS\r\n"

 

}

 

TCP::release

 

clientside { TCP::collect }

 

}

 

 

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • Nat_Thirasuttakorn's avatar
    Nat_Thirasuttakorn
    Icon for Employee rankEmployee
    Jun 13, 2012
    Hi Chungyu,

     

     

    I am curious in your implementation. does the LDAP client send starttls request in the first packet or after BIND process?

     

    it would be nice if you can post the packet trace :)

     

     

    Nat
  • chungyu_16122's avatar
    chungyu_16122
    Icon for Altostratus rankAltostratus
    Jun 13, 2012
    Hi Nat

     

     

    Thanks for the reply, I will need to work on a trace, the Cisco UCS setup is not done by my team, i will get that from them .

     

     

    Chung