[iRule] to trim hex value and send it to pool

I tested SSL::payload replace command, but didn't work.

Do I have to do another SSL::collect after this?

I don't have an environment like yours to test, but you can absolutely replace the payload. Here's how it looks in my lab to an HTTPS VIP. I'm changing the first character in the request payload (GET to HET):

when CLIENTSSL_HANDSHAKE {
    SSL::collect
}
when CLIENTSSL_DATA {
    binary scan [SSL::payload] H* hex
    log local0. $hex

    set hex2 [string replace $hex 0 1 "48"]
    log local0. $hex2

     Binary format the resulting string 
    set bin [binary format H* $hex2]

    SSL::payload replace 0 [SSL::payload length] ""
    SSL::payload replace 0 0 $bin

    SSL::release
}

Your mileage is going to vary based on the underlying application protocol itself. For instance, some protocols encode a length value into the packet or (like ASN.1) for individual values, so you may need to change that if you're going to be sending less data than the client generated. The amount you collect is going to need to be the amount you replace (unless you change whatever length value exists). In the above example, I'm collected the entire payload and then replacing the entire payload.

Thanks Kevin,

I noticed you use binary, that's probably because yours is HTTP. In my case, my server expects hex, so here's mine:

Code

when CLIENTSSL_HANDSHAKE {
SSL::collect
}

when CLIENTSSL_DATA {
     collect hex values
    binary scan [SSL::payload] H200 hex
    log local0. $hex
    set original [SSL::payload]
     look at the 8th and 9th hex value
    log local0. [string range $hex 8 9]
    if {[string index $hex 8] equals "2" and [string index $hex 9] equals "9" }{
         log local0. "Test UAT" 
         SSL::payload replace 0 7 ""
         SSL::payload replace 0 0 $original 
         pool Value29_To_UAT_Svr1
       }

Is it possible for me to set SSL::payload to it's original after pool redirection? I use

Code

set original [SSL::payload]

However

Code

SSL::payload replace 0 0 $original 

didn't work.

Here's what I think:

For example, original SSL payload total length is 40 bytes. I replace first 7 bytes with empty space, that means now it has 33 bytes. Even with SSL::payload replace 0 0 $original, it still has 33 bytes.

Is there anyway at some point I use back the original SSL payload? It's a pain, because some of the server requires the first 7, some older one does not.

`Andy

Correction:

(I assume SSL payload has to be converted to bin)

Apologies.

(I assume SSL payload has to be converted to bin)

You beat me to it. What does it look like in the logs if you do this?

log local0. [SSL::payload]

If the app was truly expecting hex, then you shouldn't have to the binary scan. In any case, if the above doesn't produce a hex output, then you should definitely need to convert back to binary.

So I may be confused on what you need to do. At first I thought you only needed to send the first 7 bytes, and now it sounds like you want to send everything but the first 7 bytes. If the former, the you'd want to strip out those 7 bytes from some amount of consumed payload, and then replace the entire payload with those 7 bytes. If the latter, then I don't think you can't simply have 7 bytes of empty space at the beginning of the packet. You'd necessarily need to grab the entire payload, remove want you want, and then replace the whole thing.

when CLIENTSSL_HANDSHAKE {
    SSL::collect
}
when CLIENTSSL_DATA {
    binary scan [SSL::payload] H* hex
    log local0. $hex

    set hex3 [string range $hex 14 end]
    log local0. $hex3

    set bin [binary format H* $hex3]

    SSL::payload replace 0 [SSL::payload length] ""
    SSL::payload replace 0 0 $bin

    SSL::release
}