For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

OTS02's avatar
OTS02
Icon for Cirrus rankCirrus
Jul 23, 2015

monitor for adfs server (GTM)

I cannot create a https monitor for our adfs servers from the GTM. I have tried many different ciphers. Tried offering only the cipher used by my Firefox browser. Curl shows the TLS handshake soundly...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 27, 2015

Okay, so finally figured it out. 😉

To start, the ciphers 0xc028, 0xc027, 0xc014, 0xc013, 0x9f, and 0x9e all equate to:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

respectively, and are all definitely supported by the BIG-IP. The definitions for these ciphers can be found here:

http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

You can verify the tmm native ciphers from your BIG-IP command line:

tmm --clientciphers NATIVE

and for openssl:

openssl ciphers |sed 's/:/\'$'\n/g'

In any case, the issue isn't one of cipher support, though your ADFS server is pretty darn restrictive in that regard. The issue is that the server requires SNI (server name indication) - a TLS extension that embeds the target hostname in the ClientHello message. It doesn't look like the built-in HTTPS monitor supports SNI, so you'd need to use an external scripted monitor. cURL would be an obvious choice here:

curl -k https://adfs.open-techs.com/adfs/ls/idpinitiatedsignon.aspx

But (this version of) curl will only send the SNI value if you use the hostname as the URL, versus the IP and port that you'd typically use in a server pool. So I had to drop back to openssl s_client. Here's an external monitor script that should do the job:

!/bin/bash

pidfile="/var/run/$MONITOR_NAME.$1..$2.pid"

if [ -f $pidfile ]
    then
    kill -9 -`cat $pidfile` > /dev/null 2>&1
fi

echo "$$" > $pidfile

node_ip=`echo $1 |sed 's/::ffff://'`
node_port=$2

getscript () {
    echo 'GET /adfs/ls/idpinitiatedsignon.aspx HTTP/1.1'
    echo 'Host: adfs.open-techs.com'
    echo ''
    while sleep 0; do
        echo 'quit\n'
    done
}

docurl () {
    IFS=$'\n'
    arr=($(getscript | openssl s_client -connect ${node_ip}:${node_port} -cipher 'ECDHE-RSA-AES256-SHA' -servername 'adfs.open-techs.com' 2>/dev/nul |grep -E '200 OK'))
    unset IFS
}

docurl

echo ${arr[0]}

if [ -n "${arr[0]}" ]
then
     Remove the pidfile before the script echoes anything to stdout and is killed by bigd
    rm -f $pidfile
    echo "up"
fi

 Remove the pidfile before the script ends
rm -f $pidfile

Notice in the openssl script I'm forcing a cipher string (ECDHE-RSA-AES256-SHA), sending the SNI with the -servername option, and then grepping for '200 OK' which then gets dumped into the array variable ${arr[0]}. If '200 OK' doesn't appear in the response, then the script sends nothing back to the monitor, otherwise it sends "up". You can obviously change what you're looking for in that grep statement.