Forum Discussion

ZacW's avatar
ZacW
Icon for Nimbostratus rankNimbostratus
Feb 07, 2014

Logging SSL information through iRule

Hello,

 

We are migrating an application in an older DC, but before doing so the application team would like to collect some information that they are unable to at the server level. We are offloading SSL to to the F5 running version 10.0.1, and I would like to log the client ip, ssl cipher name and version. The issue is not with the actual iRule as it works, but that it logs the same message for each step in the SSL handshake. I'm looking for a way to only log on the initial client hello packet as the corresponding event is not available for this version of code.

 

when CLIENTSSL_HANDSHAKE {

 

set hsl [HSL::open -proto UDP -pool Pool-Syslog]

 

HSL::send $hsl "Connection from Client: [IP::client_addr] with Cipher: [SSL::cipher name] and SSL Version: [SSL::cipher version]"

 

}

 

Any help would be greatly appreciated. This is more of a nuisance than a problem.

 

Thanks,

 

Zac

 

application delivery
devops
iRules

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 07, 2014

    An interesting question for sure. The CLIENTSSL_CLIENTHELLO command was introduced in 11.1.0, which would exactly trigger on the CLIENTHELLO message.

    when CLIENTSSL_CLIENTHELLO {
    log local0. [IP::client_addr]
    log local0. [SSL::cipher name]
    log local0. [SSL::cipher version]
}

    Just playing around with this, I found it a little odd that the above would actually produce values at all, given that the chosen cipher and version are dictated by the SERVERHELLO message. In any case, I would also argue that the CLIENTHELLO message is not a finite thing, and the client and server will likely continue to renegotiate SSL through the life of the session. I think if you need something to log only one time, then you should probably move that logic up the stack and maybe tie it to an application session (something like cookie existence perhaps).