Forum Discussion
Adrien_Legros_1
Altostratus
AltostratusProblem with SSL Offload
Hello, I want to test the SSLOFFLOAD on the BigIP. Here is the Irule I use and the messages I can see in the LTM Logs. I createdt a CA chain. I can see 0 as the ersult of the SSLverify so I suppose the client certificate is OK but traffic never goes to my nodes and HTTP request never happens. Thanks for your help.
when RULE_INIT {
set ssl_handshake 0
log local0. "Rule INIT"
}
when CLIENTSSL_HANDSHAKE {
set ssl_handshake 1
if { [SSL::cert count] > 0 } {
session add ssl [SSL::sessionid] [SSL::cert 0]
}
log local0. "CLIENT SSLHANDSHAKE session= [SSL::sessionid]"
}
when CLIENTSSL_CLIENTCERT {
log local0. "Result of certs [SSL::verify_result] count [SSL::cert count] id [SSL::sessionid]"
set ssl_handshake 1
if { [SSL::cert count] > 0 } {
session add ssl [SSL::sessionid] [SSL::cert 0]
log local0. "Count est different de 0"
}
}
when HTTP_REQUEST {
log local0. "HTTP_REQUEST"
set ssl_cert [SSL::cert 0]
if {[SSL::verify_result] > 0 }{
HTTP::redirect "http://www.mysite.be/ErrorPages/cert_reject.aspx?errorcode=[SSL::verify_result]"
log "redirect to errorpage"
return
}
log local0. " SSL sessionID [SSL::sessionid]"
if { $ssl_handshake == 1 } {
log local0. "Parametres vers headers"
set client_cert [session lookup ssl [SSL::sessionid]]
if { $client_cert ne "" } {
log local0.info "Client certificate retrieved from SSL SessionId"
log local0.info "X509 Certificate subject [X509::subject $client_cert]"
log local0.info "X509 Certificate issuer [X509::issuer $client_cert]"
log local0.info "X509 Certificate serial [X509::serial_number $client_cert]"
HTTP::header replace x-nbbcertsubject [X509::subject $client_cert]
HTTP::header replace x-nbbcertissuer [X509::issuer $client_cert]
HTTP::header replace x-nbbcertserial [X509::serial_number $client_cert]
HTTP::header replace nbbclientip [IP::client_addr]
}
set ssl_handshake 0
}
if {[HTTP::host] == "ssltest.be"}{
pool ssltest
log "selection url simple"
}
elseif {[HTTP::uri] starts_with "/KC" }{
pool ssltest
log "2eme choix url"
}
else {
HTTP::redirect "http://www.google.be"
log "redirect to google"
}
}
when HTTP_RESPONSE {
if {[HTTP::header exists "Location"] }{
set location_url [HTTP::header Location]
log "Old location $location_url"
regsub -all "http://ssltest.be" $location_url "https://ssltest.be" location_url
HTTP::header replace "Location" $location_url
log "New location $location_url"
}
}
Logs:
Fri Nov 21 14:13:44 CET 2008 tmm tmm[970] Rule : Rule INIT
Fri Nov 21 14:14:27 CET 2008 tmm tmm[970] Rule ssltest CLIENTSSL_CLIENTCERT: Result of certs 0 count 2 id 0000000000000000000000000000000000000000000000000000000000000000
Fri Nov 21 14:14:27 CET 2008 tmm tmm[970] Rule ssltest CLIENTSSL_CLIENTCERT: Count 0
Fri Nov 21 14:14:28 CET 2008 tmm tmm[970] Rule ssltest CLIENTSSL_CLIENTCERT: Result of certs 0 count 2 id 0000000000000000000000000000000000000000000000000000000000000000
Fri Nov 21 14:14:28 CET 2008 tmm tmm[970] Rule ssltest CLIENTSSL_CLIENTCERT: Count 0
Fri Nov 21 14:14:29 CET 2008 tmm tmm[970] Rule ssltest CLIENTSSL_CLIENTCERT: Result of certs 0 count 2 id 0000000000000000000000000000000000000000000000000000000000000000
Fri Nov 21 14:14:29 CET 2008 tmm tmm[970] Rule ssltest CLIENTSSL_CLIENTCERT: Count 0
- It looks like this iRule will only allow traffic through to the pools if the HTTP Request meets certain criteria. It looks like the host needs to be "ssltest.be" or the URI needs to start with "/KC", otherwise requests will get redirected out to google.be.
Are you saying that the process is hanging completely, or just that your webservers aren't receiving the traffic?
Colin 
Adrien_Legros_1Hello,
I see traffic in the VS but nothing in the pool. Backend never receive the traffic. The HTTP_request is never triggered.
