Forum Discussion
Ian_Johnson_382
Nimbostratus
NimbostratusIssue with string matching in SSL payload
Hi All,
I am using an iRule to perform pool selection based on the string match in a SSL payload. This is working fine for a smiple string match "DC=ab" but a longer string of "CN=EMEA,CN=EUC,DC=global" does not match.
This is the iRule I am using
when RULE_INIT {
set DEBUG 0
}
when CLIENTSSL_HANDSHAKE {
if { $::DEBUG } {log local0. "Client connected [IP::client_addr] "}
SSL::collect
}
when CLIENTSSL_DATA {
If in debug mode, log payload of received packet
if { $::DEBUG } { log local0. "payload <$payload" }
check if payload contains the string we want
if { [SSL::payload] contains "DC=ab" } {
If in debug mode, log that the payload matched
if { $::DEBUG } { log local0. "DC=bh payload matched" }
pool pool_ad_ab
}
elseif { [SSL::payload] contains "CN=EMEA,CN=EUC,DC=global" } {
If in debug mode, log that the payload matched
if { $::DEBUG } { log local0. "CN=EMEA,CN=EUC,DC=global payload matched" }
pool pool_ad_global
}
if { $::DEBUG } { log local0. "Release TCP connection" }
SSL::release
}
I have checked the incoming request and the string is correct, this is the incoming payload.
04 3e 6c 64 61 70 3a 2f 2f 67 6c 6f 62 61 6c 2e .>ldap://global.
69 63 61 70 2e 63 6f 6d 2f 43 4e 3d 45 4d 45 41 abc.com/CN=EMEA
2c 43 4e 3d 45 55 43 2c 44 43 3d 67 6c 6f 62 61 ,CN=EUC,DC=globa
6c 2c 44 43 3d 69 63 61 70 2c 44 43 3d 63 6f 6d l,DC=abc,DC=com
Any ideas on why the string is not found?
Thanks Ian
3 Replies
- Kevin_Stewart
Employee
Just spitballing here, but from your example the incoming payload matches both criteria (ie. contains "DC=ab").
- Kevin_Stewart
It may just be that the request is crossing a packet boundary. Try adding an SSL::collect directly after the SSL::release. In lieu of that, can you describe how the query is being called?
Ian_Johnson_382Thanks Kevin, I will give that a try.
