iRule /SSL Profile Issue

Question

Basically I have Web facing VIP with a real world IP for some of our HTTPS transactions because of this we use an auto SNAT. What we are seeing is when our vendors make a connection we separate their transactions by source IPs. i.e Vendor A comes in with 1.1.1.1 and replace the  NETWORK_ALIAS with 1.1.1.1. What it happening is about half the 1.1.1.1 get replaced with the F5 Self IP. In addition in our SSL profile we require Client Authentication Client Certificate and the frequency set at once..I have a feeling this might be the issue but I’m unsure. And I was told if we changed frequency to always than the iRule would need to be re done…  below is the iRule &nbsp;
&nbsp;when CLIENTSSL_CLIENTCERT {
&nbsp; set cert [SSL::cert 0]
&nbsp; set clientip [IP::remote_addr]
&nbsp;if { $cert ne ""} { 
&nbsp; log local0. "iRULE:ClientIP:$clientip | Status: Cert Sent" 
&nbsp; set hash [X509::hash $cert]
&nbsp; session add ssl [SSL::sessionid] $cert 180 
&nbsp;} else { 
&nbsp; log local0. "iRULE:ClientIP:$clientip | Status: No Cert" 
&nbsp; reject 
&nbsp; return 
&nbsp;} 
&nbsp;}
&nbsp;when HTTP_REQUEST {
&nbsp; if { [info exists hash] } {
&nbsp; HTTP::header replace NETWORK_ALIAS $hash
&nbsp; log local0. "iRULE:Inserting HTTP header client $clientip Cert Hash: $hash"
&nbsp;}
&nbsp;}&nbsp;&nbsp;

nitass · Answer

What it happening is about half the 1.1.1.1 get replaced with the F5 Self IP.could you please explain a little bit more? how do you know 1.1.1.1 gets replaced with selfip? is it from log command in HTTP_REQUEST or from NETWORK_ALIAS header's hash value?

hoolio · Answer

With your current iRule, the header will only get inserted on HTTP requests where the client presented the cert.  If the client opens a new connection and resumes the existing SSL session, you wouldn't get the cert details inserted.   
&nbsp;  
&nbsp; You could either change the cert frequency to always or modify the iRule to read the session table entry in HTTP_REQUEST.  I've added some functionality to check the client's cert against the trusted CA bundle configured in the client SSL profile.  I also added some options for handling when the client's resumed session does not exist in TMM's cache.  Here's an untested example: 
&nbsp;  
&nbsp; 
when RULE_INIT {
 Log debug messages to /var/log/ltm? 1=yes, 0=no
set static::cert_debug 1
}
when CLIENTSSL_CLIENTCERT {

Check if the client presented a cert
if { [SSL::cert count] == 0 } {

if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: No cert. Rejecting."}

Remove the SSL session ID from the cache and reset the connection
SSL::session invalidate
reject

} else {
 Check if client cert validates against TMMs trusted CA cert bundle
 SSL status code defined here: http://www.openssl.org/docs/apps/verify.htmlDIAGNOSTICS
if { [SSL::verify_result] != 0 }{

if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Bad cert - [X509::verify_cert_error_string [SSL::verify_result]]"}

Remove the SSL session ID from the cache and reset the connection
SSL::session invalidate
reject
}
}
}
when HTTP_REQUEST {

Check if the client SSL session ID and cert exist in the TMM cache
if { [SSL::sessionid] ne "" and [SSL::cert 0] ne ""}{

HTTP::header replace NETWORK_ALIAS [X509::hash [SSL::cert 0]]
if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Inserting cert hash: [X509::hash [SSL::cert 0]]"}

} else {

if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Invalid client SSL session ID or cert."}

Send a TCP reset
reject

Or send an HTTP response?
HTTP::respond 403 content {You must supply a client cert}

Or renegotiate the handshake to request a client cert?

Force renegotiation of the SSL connection with a cert requested
 Hold the HTTP request until the SSL re-negotiation is complete
HTTP::collect; Need to call HTTP::release in CLIENTSSL_CLIENTCERT if a cert is presented
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Recent Discussions

F5 rate limiting with Irule

Grpc Keepalive and F5 full proxy

Bigip Restoration From Hardware to VM

Help with SSH Virtual Server

About vlangroup traffic

Related Content

Irule Example Issue

iRule Execution Tracing and Performance Profiling, Part 1

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

F5 BIG-IP Advanced WAF – DOS profile configuration options.

Mitigate Unplanned Scale Issues with an iRule Waiting Room

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS