Forum Discussion

Cisco2F5_16233's avatar
Cisco2F5_16233
Icon for Nimbostratus rankNimbostratus
Jan 05, 2012

iRule /SSL Profile Issue

Basically I have Web facing VIP with a real world IP for some of our HTTPS transactions because of this we use an auto SNAT. What we are seeing is when our vendors make a connection we separate their transactions by source IPs. i.e Vendor A comes in with 1.1.1.1 and replace the NETWORK_ALIAS with 1.1.1.1. What it happening is about half the 1.1.1.1 get replaced with the F5 Self IP. In addition in our SSL profile we require Client Authentication Client Certificate and the frequency set at once..I have a feeling this might be the issue but I’m unsure. And I was told if we changed frequency to always than the iRule would need to be re done… below is the iRule

 

 

when CLIENTSSL_CLIENTCERT {

 

set cert [SSL::cert 0]

 

set clientip [IP::remote_addr]

 

if { $cert ne ""} {

 

log local0. "iRULE:ClientIP:$clientip | Status: Cert Sent"

 

set hash [X509::hash $cert]

 

session add ssl [SSL::sessionid] $cert 180

 

} else {

 

log local0. "iRULE:ClientIP:$clientip | Status: No Cert"

 

reject

 

return

 

}

 

}

 

when HTTP_REQUEST {

 

if { [info exists hash] } {

 

HTTP::header replace NETWORK_ALIAS $hash

 

log local0. "iRULE:Inserting HTTP header client $clientip Cert Hash: $hash"

 

}

 

}

 

 

  • What it happening is about half the 1.1.1.1 get replaced with the F5 Self IP.could you please explain a little bit more? how do you know 1.1.1.1 gets replaced with selfip? is it from log command in HTTP_REQUEST or from NETWORK_ALIAS header's hash value?
  • With your current iRule, the header will only get inserted on HTTP requests where the client presented the cert. If the client opens a new connection and resumes the existing SSL session, you wouldn't get the cert details inserted.

     

     

    You could either change the cert frequency to always or modify the iRule to read the session table entry in HTTP_REQUEST. I've added some functionality to check the client's cert against the trusted CA bundle configured in the client SSL profile. I also added some options for handling when the client's resumed session does not exist in TMM's cache. Here's an untested example:

     

     

    
    when RULE_INIT {
     Log debug messages to /var/log/ltm? 1=yes, 0=no
    set static::cert_debug 1
    }
    when CLIENTSSL_CLIENTCERT {
    
     Check if the client presented a cert
    if { [SSL::cert count] == 0 } {
    
    if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: No cert. Rejecting."}
    
     Remove the SSL session ID from the cache and reset the connection
    SSL::session invalidate
    reject
    
    } else {
     Check if client cert validates against TMMs trusted CA cert bundle
     SSL status code defined here: http://www.openssl.org/docs/apps/verify.htmlDIAGNOSTICS
    if { [SSL::verify_result] != 0 }{
    
    if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Bad cert - [X509::verify_cert_error_string [SSL::verify_result]]"}
    
     Remove the SSL session ID from the cache and reset the connection
    SSL::session invalidate
    reject
    }
    }
    }
    when HTTP_REQUEST {
    
     Check if the client SSL session ID and cert exist in the TMM cache
    if { [SSL::sessionid] ne "" and [SSL::cert 0] ne ""}{
    
    HTTP::header replace NETWORK_ALIAS [X509::hash [SSL::cert 0]]
    if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Inserting cert hash: [X509::hash [SSL::cert 0]]"}
    
    } else {
    
    if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Invalid client SSL session ID or cert."}
    
     Send a TCP reset
    reject
    
     Or send an HTTP response?
    HTTP::respond 403 content {You must supply a client cert}
    
     Or renegotiate the handshake to request a client cert?
    
     Force renegotiation of the SSL connection with a cert requested
     Hold the HTTP request until the SSL re-negotiation is complete
    HTTP::collect; Need to call HTTP::release in CLIENTSSL_CLIENTCERT if a cert is presented
    SSL::session invalidate
    SSL::authenticate always
    SSL::authenticate depth 9
    SSL::cert mode require
    SSL::renegotiate
    }
    }
    

     

     

    Aaron