Forum Discussion
Cisco2F5_16233
Nimbostratus
NimbostratusiRule /SSL Profile Issue
Basically I have Web facing VIP with a real world IP for some of our HTTPS transactions because of this we use an auto SNAT. What we are seeing is when our vendors make a connection we separate their transactions by source IPs. i.e Vendor A comes in with 1.1.1.1 and replace the NETWORK_ALIAS with 1.1.1.1. What it happening is about half the 1.1.1.1 get replaced with the F5 Self IP. In addition in our SSL profile we require Client Authentication Client Certificate and the frequency set at once..I have a feeling this might be the issue but I’m unsure. And I was told if we changed frequency to always than the iRule would need to be re done… below is the iRule
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set clientip [IP::remote_addr]
if { $cert ne ""} {
log local0. "iRULE:ClientIP:$clientip | Status: Cert Sent"
set hash [X509::hash $cert]
session add ssl [SSL::sessionid] $cert 180
} else {
log local0. "iRULE:ClientIP:$clientip | Status: No Cert"
reject
return
}
}
when HTTP_REQUEST {
if { [info exists hash] } {
HTTP::header replace NETWORK_ALIAS $hash
log local0. "iRULE:Inserting HTTP header client $clientip Cert Hash: $hash"
}
}
nitassEmployee
What it happening is about half the 1.1.1.1 get replaced with the F5 Self IP.could you please explain a little bit more? how do you know 1.1.1.1 gets replaced with selfip? is it from log command in HTTP_REQUEST or from NETWORK_ALIAS header's hash value?
hooleylistCirrostratus
With your current iRule, the header will only get inserted on HTTP requests where the client presented the cert. If the client opens a new connection and resumes the existing SSL session, you wouldn't get the cert details inserted.
You could either change the cert frequency to always or modify the iRule to read the session table entry in HTTP_REQUEST. I've added some functionality to check the client's cert against the trusted CA bundle configured in the client SSL profile. I also added some options for handling when the client's resumed session does not exist in TMM's cache. Here's an untested example:when RULE_INIT { Log debug messages to /var/log/ltm? 1=yes, 0=no set static::cert_debug 1 } when CLIENTSSL_CLIENTCERT { Check if the client presented a cert if { [SSL::cert count] == 0 } { if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: No cert. Rejecting."} Remove the SSL session ID from the cache and reset the connection SSL::session invalidate reject } else { Check if client cert validates against TMMs trusted CA cert bundle SSL status code defined here: http://www.openssl.org/docs/apps/verify.htmlDIAGNOSTICS if { [SSL::verify_result] != 0 }{ if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Bad cert - [X509::verify_cert_error_string [SSL::verify_result]]"} Remove the SSL session ID from the cache and reset the connection SSL::session invalidate reject } } } when HTTP_REQUEST { Check if the client SSL session ID and cert exist in the TMM cache if { [SSL::sessionid] ne "" and [SSL::cert 0] ne ""}{ HTTP::header replace NETWORK_ALIAS [X509::hash [SSL::cert 0]] if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Inserting cert hash: [X509::hash [SSL::cert 0]]"} } else { if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Invalid client SSL session ID or cert."} Send a TCP reset reject Or send an HTTP response? HTTP::respond 403 content {You must supply a client cert} Or renegotiate the handshake to request a client cert? Force renegotiation of the SSL connection with a cert requested Hold the HTTP request until the SSL re-negotiation is complete HTTP::collect; Need to call HTTP::release in CLIENTSSL_CLIENTCERT if a cert is presented SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } }
Aaron