Manipulates SSL payload for 2 Packets inside same session

Hi Fabio,

 

 

You can collect the TCP payload, check it and then collect more data using TCP::collect in CLIENT_DATA. Here's a post from Chris with a few examples:

 

 

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1173041/aff/5/showtab/groupforums/Default.aspx1197616

 

 

Aaron

Hi Aaron,

 

sorry but i forgot that my session is SSL.

 

 

It's the same for SSL::collect?

 

 

Thank you so much for the answer.

 

Regards

 

 

Fabio.

Yes, I think the concepts for TCP::collect and recollecting apply to SSL::collect. If you try it and get stuck let us know. Else, if you get something working, could you post it here as an example for others?

 

 

Thanks, Aaron

Ok thanks Aaron.

i khow it's wrong but unfortunately i forgot something else: the second packet is sent after an answer(the procedure is complicated to explain).

 

Howewer, to summarize the client send a SSL packet; my irule manipulates the packet adding some headers and sends it to the server that response. This response must be processed by the irule, removing these header and sending the packet to the client(this is the response that the client expects).

 

Once the client receives the response, sends the second packet.

 

Now the irule must repeat the same algorithm descrived above.

 

 

 

It's Possibile??

 

 

 

A thousand excuses because i'm not writing everything at once but I was running at the time of opening of the post and spent a lot for not being able to find a solution.

 

 

 

Thanks for any response.

 

 

 

Kind regards,

 

 

 

Fabio.

 

 

 

 

 

If you need anything ask me and i will post ASAP.

 

 

Bye.

 

Fabio.

Hi Fabio,

 

 

I think you'll need to use SSL::collect in CLIENTSSL_HANDSHAKE for the client requests and in SERVERSSL_HANDSHAKE for the server responses. Try to start with a simple iRule based on the wiki pages with a lot of debug logging and see how far you can get. If you get stuck, reply here with the iRule you're testing and the log output from /var/log/ltm.

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/CLIENTSSL_HANDSHAKE.html

 

http://devcentral.f5.com/wiki/default.aspx/iRules/SERVERSSL_HANDSHAKE.html

 

 

Aaron

Hi Aaron,

i have already tried the "test" you told me to do and i can confirm that the first packet sent by the client is modified correctly, and aslo the response by the server is modified correctly.

 

The problem is the second packet sent by the client because not generate the event "CLIENTSSL_HANDSHAKE" (As stated before, I can confirm by looking at the log)

 

 

 

Reading the wiki inherent in the event "CLIENTSSL_HANDHAKE" i have read:

 

 

 

Triggered when a client-side SSL handshake is completed.

 

 

 

The second packet is sent in the same session SSL,

 

maybe it's the reason so the second time the event is not generated.

 

 

 

How i can to do for resolve my problem?

 

 

 

Thank you so much for the precedent and future answer.

 

 

 

Regard,

 

Fabio

 

Any news?

 

 

Fabio.

I think you'd need to continue collecting from CLIENTSSL_DATA and/or SERVERSSL_DATA using SSL::collect. But I haven't tested this before and am not able to test it at the moment.

 

 

Aaron

Hi Aaron,

unfortunatly i have already tested what you say and isn't works because if i remain in SSL::collect state, the first packet not arrives at the servers.

 

Other ideas?

 

 

 

Thanks.

 

 

 

Fabio