For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bciesz_171056's avatar
Bciesz_171056
Icon for Cirrus rankCirrus
Jan 18, 2017

iRule to log every SSL related event on VS

Hi, I need an iRule, that would put all SSL related events to a log file on a particular VS.

 

The reason is that one of the applications connecting to a server behind F5 loadbalancer is experiencing SSL handshake errors every now and then. Now no one could ever reproduce this errors from client side, so I guess having a bunch of logs and comparing them against timestamps when the error occurs would be a good idea at least to exclude my F5 as the bandit causing the error.

 

application delivery
BIG-IP
iRules

2 Replies

  • jgranieri's avatar
    jgranieri
    Icon for Nimbostratus rankNimbostratus
    Jan 19, 2017

    I would recommend writing an irule that will execute log statements for every SSL event your VS will perform.

     

    [https://devcentral.f5.com/wiki/irules.ssl.ashx]

     

    CLIENTSSL_CLIENTCERT - Triggered when the system adds an SSL client certificate to the client certificate chain. CLIENTSSL_CLIENTHELLO - Triggered when the system has received the client's SSL ClientHello message CLIENTSSL_DATA - Triggered each time new SSL data is received from the client while the connection is in “collect” state. CLIENTSSL_HANDSHAKE - Triggered when a client-side SSL handshake is completed. CLIENTSSL_SERVERHELLO_SEND - Triggered when the system is about to send its SSL ServerHello message on the clientside connection SERVERSSL_CLIENTHELLO_SEND - Triggered when the system is about to send its SSL ClientHello message. SERVERSSL_DATA - Triggered when new SSL data is received from the target node after command has been issued. SERVERSSL_HANDSHAKE - Triggered when a server-side SSL handshake is completed. SERVERSSL_SERVERHELLO - Triggered when the system has received the server's SSL ServerHello message.

     

  • Bciesz_171056's avatar
    Bciesz_171056
    Icon for Cirrus rankCirrus
    Jan 27, 2017

    I used CLIENTSSL triggers. More or less my idea was to log every attempt of SSL handshake, and after that every succesful SSL handshake. I added session id for tracking purposes. Now, when my client will complain that something went wrong, I can cross check it with my logs. If the amount of SSL attemps == SSL handshakes (on that particular timestamp) i can tell him to go fudge himself :) Here's what I came up with:

    when CLIENTSSL_CLIENTHELLO {
        log event with session id, when client attempts to connect
        set session_id_hello [SSL::sessionid]
        log local0. " SSL Attempt from [IP::client_addr], session ID: $session_id_hello]"
        drop
}

when CLIENTSSL_HANDSHAKE {
        log event with session id, when handshake completed
        set session_id_handshake [SSL::sessionid]
        log local0. " SSL HS completed from [IP::client_addr], session ID: $session_id_handshake]"
}

    The double hash () is used to put these particular logs in a different file.