Forum Discussion
iRule not working with SSL profile assign to virtual server
Hi All,
I am using an iRule to direct incoming LDAP requests to servers based on the "CN" string. When I don't have a Client SSL profile assign to the virtual server the rule works fine. With a SSL profile assign the rule does not match on the tcp payload and using tcpdump I do not see any unencrypted traffic leave, just a RST sent back to the client.
This is running on LTM 10.2.4HF3
Set DEBUG to 1 to get debug-logging of this iRule in /var/log/ltm
when RULE_INIT {
set DEBUG 1
}
when CLIENT_ACCEPTED {
if { $::DEBUG } {log local0. "Client connected [IP::client_addr] "}
TCP::collect
}
when CLIENT_DATA {
Save payload
set payload [TCP::payload]
If in debug mode, log payload of received packet
if { $::DEBUG } { log local0. "payload <$payload" }
check if payload contains the string we want to replace
if { [TCP::payload] contains "CN=adminbh" } {
If in debug mode, log that the payload matched
if { $::DEBUG } { log local0. "payload matched" }
pool pool_bh
}
if { $::DEBUG } { log local0. "Release TCP connection" }
TCP::release
}
Any ideas?
Thanks
Ian
- Mohamed_Lrhazi
Altocumulus
When I don't have a Client SSL profile assign to the virtual server the rule works fine. - What_Lies_Bene1
Cirrostratus
Can you confirm your clients are using LDAPS? - Ian_Johnson_382
Nimbostratus
We have checked the incoming traffic and it is SSL. I have captured the request and can see the SSL handshake and using ssldump I can see the LDAP query being sent.
- Mohamed_Lrhazi
Altocumulus
How could one match the string "CN=adminbh" in SSL encrypted payload? - What_Lies_Bene1
Cirrostratus
Can you post the Virtual Server configuration? - Ian_Johnson_382
Nimbostratus
Here is the Virtual server configuration
With the clientssl profile
virtual vs__ldaps { snatpool mimecast_snat destination x.x.x.x:ldaps i p protocol tcp rules ldap-redirect profiles { ssl_ldap { clientside } tcp-lan-optimized { serverside } tcp-wan-optimized { clientside } } }
- What_Lies_Bene1
Cirrostratus
You seem to be using a different iRule with each VS configuration?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com