Forum Discussion
iRule to Decrypt and then Re-Encrypt outbound traffic
I'm supporting a server that is using a v2 SSL certificate to transmit SOAP data. I need to change the SSL from V2 on the server to V3 which is supported on the F5 LTM. My goal is to take all outbound traffic on the server on port 443, decrypt it, then re-encrypt it and send it along to its destination. I have a stateless router setup on our LTM that acts as a default gateway for the system, I just need to implement the iRule. How can I accomplish this?
- Arnaud_LemaireEmployee
you need to change the VS type from forwarding to standard in order to apply a client side and server side ssl profile to match you ssl version requirements. i'm not sure you really need an irule here.
- MattB_MA_170307Nimbostratus
A little more detail here regarding that. My VS is listening on a non-standard port, so clients connecting aren't coming in through 443. Our server receives SOAP data on that non-standard port, then makes additional outbound connections on 443. I need to re-encrypt the outbound server-initiated connections. Should I do this with a new VS and SNAT?
- MattB_MA_170307Nimbostratus
Here's even more detail- this is the stateless router we have that acts as a gateway for the servers behind the F5: http://packetpushers.net/stateless-routing-f5-ltm/
Since server initiated traffic has to pass through that router, I want to apply an irule that says
When a connection is made from x_pool on port 443 (or better yet, using the https protocol), Decrypt it using x cert then Encrypt it using y cert and send it along to the target out on the internet.
Now, that target will no doubt respond using y's cert, which then will hit the F5, and needs to be re-encrypted using x's cert.
Can that be done?
- Arnaud_LemaireEmployee
You cannot do that with the forwarding IP virtual server type you are using, as this virtual is not doing L7 proxy on flows. As i said, you have to create a new VS with you destination IP address as virtual IP and your destination PORT and then play with ssl profile to enforce ssl version you need.
- MattB_MA_170307Nimbostratus
The problem here is that the destination is always changing. The server processes outbound traffic for a number of different systems out on the Internet. This is why I was looking for an iRule that I can apply to the router, as I know they can process iRules. I also know that iRules can apply certs to outbound packets via SNAT, which according to my understanding is useful when you are dealing with a limited known set of destinations. In this case, we just need to apply a rule to a port based off of a known source address, this being the server.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com