Forum Discussion

ZacW's avatar
ZacW
Icon for Nimbostratus rankNimbostratus
Feb 07, 2014

Logging SSL information through iRule

Hello,   We are migrating an application in an older DC, but before doing so the application team would like to collect some information that they are unable to at the server level. We are offloa...
application delivery
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 07, 2014

An interesting question for sure. The CLIENTSSL_CLIENTHELLO command was introduced in 11.1.0, which would exactly trigger on the CLIENTHELLO message.

when CLIENTSSL_CLIENTHELLO {
    log local0. [IP::client_addr]
    log local0. [SSL::cipher name]
    log local0. [SSL::cipher version]
}

Just playing around with this, I found it a little odd that the above would actually produce values at all, given that the chosen cipher and version are dictated by the SERVERHELLO message. In any case, I would also argue that the CLIENTHELLO message is not a finite thing, and the client and server will likely continue to renegotiate SSL through the life of the session. I think if you need something to log only one time, then you should probably move that logic up the stack and maybe tie it to an application session (something like cookie existence perhaps).