Forum Discussion

MaxMedov's avatar
MaxMedov
Icon for Cirrostratus rankCirrostratus
Jan 09, 2023

iRule to accept client then SSL cert validation

Hi everyone 🙂 Please advise the best way to combine an iRule with doing this: 1. Accept only client coming from 1 specific IP then: 2. For the rest (who are not this specific IP), I want to chec...
devops
  • Hooni_L's avatar
    Hooni_L
    Jan 13, 2023

    MaxMedov
    I think you can use tcp::collect.

     

    refer tcp collect start irule 

    when CLIENT_ACCEPTED {
    # DEBUG On/Off : 1/0
    set DEBUG 0

    # disable client/serverside ssl profile by default
    SSL::disable clientside
    #SSL::disable serverside


    if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }

    # run TCP collect to check SNI for bypass before intercept SSL traffic
    # log local0. "run client collect command"
    TCP::collect
    set monitor_id [ after 500 {
        TCP::release
    } ]
}

    and you can check the sni, cn, etc... in "when CLIENT_DATA "

MaxMedov's avatar
MaxMedov
Icon for Cirrostratus rankCirrostratus
Jan 12, 2023

HiG-Rob, from what I know, I can't choose an iRule in LTM Policy for the checking SSL (containing specific CN)
Can I do it in LTM Policy only without an iRule?

  • G-Rob's avatar
    G-Rob
    Icon for Employee rankEmployee
    Jan 18, 2023

    Yes, you can do all of those things. I have not used the SSL Certificate matching, so I would test in your lab before deploying.