Forum Discussion

MaxMedov's avatar
MaxMedov
Icon for Cirrostratus rankCirrostratus
Jan 09, 2023

iRule to accept client then SSL cert validation

Hi everyone 🙂
Please advise the best way to combine an iRule with doing this:
1. Accept only client coming from 1 specific IP
then:
2. For the rest (who are not this specific IP), I want to check SSL CN, for example ABC.COM
3. If it does not contain ABC.COM, reject the connection

The meaning is the source of the 1 client come without the CN and I want to pass over him and check only for the rest

Thanks you!

  • MaxMedov
    I think you can use tcp::collect.

     

    refer tcp collect start irule 

    when CLIENT_ACCEPTED {
        # DEBUG On/Off : 1/0
        set DEBUG 0
    
        # disable client/serverside ssl profile by default
        SSL::disable clientside
        #SSL::disable serverside
    
    
        if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }
    
        # run TCP collect to check SNI for bypass before intercept SSL traffic
        # log local0. "run client collect command"
        TCP::collect
        set monitor_id [ after 500 {
            TCP::release
        } ]
    }

    and you can check the sni, cn, etc... in "when CLIENT_DATA "

5 Replies

  • MaxMedov
    I think you can use tcp::collect.

     

    refer tcp collect start irule 

    when CLIENT_ACCEPTED {
        # DEBUG On/Off : 1/0
        set DEBUG 0
    
        # disable client/serverside ssl profile by default
        SSL::disable clientside
        #SSL::disable serverside
    
    
        if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }
    
        # run TCP collect to check SNI for bypass before intercept SSL traffic
        # log local0. "run client collect command"
        TCP::collect
        set monitor_id [ after 500 {
            TCP::release
        } ]
    }

    and you can check the sni, cn, etc... in "when CLIENT_DATA "

    • Leslie_Hubertus's avatar
      Leslie_Hubertus
      Ret. Employee

      MaxMedov did Hooni_L's solution work for you? If yes, can you please click the Accept as Solution button under their post? That way future users with the same challenge can easily find the answer. Thanks!

  • Max,

    Check out LTM policies. You may be able to build this logic a bit easier without needing to write a custom iRule.

  • HiG-Rob, from what I know, I can't choose an iRule in LTM Policy for the checking SSL (containing specific CN)
    Can I do it in LTM Policy only without an iRule?

    • G-Rob's avatar
      G-Rob
      Icon for Employee rankEmployee

      Yes, you can do all of those things. I have not used the SSL Certificate matching, so I would test in your lab before deploying.