For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Amit585731's avatar
Amit585731
Icon for Nimbostratus rankNimbostratus
Mar 30, 2016

issue with client ssl profile irule

Dear Experts, I am trying to create irule for req where user wants for specified IP address to be presented with defined cert and others with default cert. But while adding irule I am getting below...
IanB's avatar
IanB
Icon for Employee rankEmployee
Apr 06, 2016

Using an 'answer' so that I can apply formatting to this.

I've tried to reproduce this on 11.6.0, but it works without issue for me. Please take a look at my config, and see if you can spot what we're doing differently:

ltm rule http_responder {
   when HTTP_REQUEST {
       HTTP::respond 200 content "[IP::client_addr]:[TCP::client_port] This is the best website ever\n\n"
   }
}


ltm rule ssl  {
    when CLIENT_ACCEPTED {
        if { [IP::addr [IP::client_addr] equals "1.1.1.1"]} {
            log local0. "IP address:[IP::client_addr]  Set SSL profile to Test1_SSL"
            SSL::profile Test1_SSL
        } else {
            log local0. "IP address:[IP::client_addr]  Set SSL profile to clientssl"
             SSL::profile clientssl
        }
    }
}

create net vlan test interfaces add {1.1{tagged}} tag 111
create net self test_self vlan test address 1.1.1.254/24

create sys crypto key self-signed-key
create sys crypto cert self-signed-cert key self-signed-key.key common-name fluffybunnies

create ltm profile client-ssl Test1_SSL cert-key-chain replace-all-with { default { cert self-signed-cert.crt key self-signed-key.key } }

create ltm virtual test_ssl destination 1.1.1.100:443 profiles replace { clientssl http tcp } rules { http_responder ssl }

And then test it:

[root@ltm-1160-151:Active:Standalone] config  curl -k https://1.1.1.100
1.1.1.254:58586 This is the best website ever

/var/log/ltm:    
Apr  5 19:58:24 ltm-1160-151 info tmm[11728]: Rule /Common/ssl : IP address:1.1.1.254  Set SSL profile to clientssl

I then changed the 1.1.1.1 in the ssl rule to 1.1.1.254 so that it matches the curl request, and sets the other SSL profile:

[root@ltm-1160-151:Active:Standalone] config  curl -k https://1.1.1.100
1.1.1.254:58661 This is the best website ever

/var/log/ltm:
Apr  5 20:01:05 ltm-1160-151 info tmm[11728]: Rule /Common/ssl : IP address:1.1.1.254  Set SSL profile to Test1_SSL

Granted, I'm just using a iRule to respond to the HTTP request, but that should be sufficient to test the clientssl profile without needing an actual pool member.

Let me know if you can spot how we're differing here.