BEdmunds_8904
Jun 19, 2012Nimbostratus
Logging SSL Renegotiations
Hi All,
So I am a complete newb to both F5 and iRules, I've got older version of LTM, 9.4.8 w/ HF 4. We are looking to upgrade and in particular to fix the CVE-2009-3555 vulnerability. Before doing so, we want to gauge the impact to our partners, so I'd like to log all SSL renegotiation handshakes.
Borrowing from the work of Lupo in https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/86456/showtab/groupforums/Default.aspx, it looks like I could do the same, just leave off the close command.
So I end up with:
when CLIENT_ACCEPTED {
initialize TLS/SSL handshake count for this connection
set sslhandshakecount 0
}
if you have lower priority iRules on the CLIENTSSL_HANDSHAKE event, you have to make sure, that they don't interfere with this iRule
when CLIENTSSL_HANDSHAKE priority 100 {
a handshake just occurred
incr sslhandshakecount
is this the first handshake in this connection?
if { $sslhandshakecount != 1 } {
log (rate limited) the event (to /var/log/tmm)
log "\[VS [virtual] client [IP::client_addr]:[TCP::client_port]\]: TLS/SSL renegotiation occurred"
}
}
Any thoughts or improvements? Is this the right approach?
I have opened a case with support too, Case C1141780
thanks for reading.