Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
Dec 08, 2017

Selecting Server SSL in iRule and iApp

Hi,

 

I know that this is not usual situation to modify anything in iApp objects. Anyway I did it for some test purposes and something took me off guard.

 

Setup:

 

  • iApp with
    • Client SSL
    • Server SSL

iRule with code like that:

 

set profile "SSL::profile ${ssls}"
if { [PROFILE::exists serverssl] == 1} {        
    Trying to set profile specified by ssls var
    if { [catch {eval $profile}] } {
        Setting profile failed - most probably profile
        with name specified by ssls var does not exixst
        catch {eval $disable}
        Client connection should be rejected
        reject is triggering LB_FAILED
        and HTTP respond can be used
        reject
    } else {
         Hide these commands from the iRule parser (in case no serverssl profile is applied)
        set enable "SSL::enable serverside" 
        if { [catch {eval $enable}] }{
            reject
        }
    }
}

Profile specified in [catch {eval $profile}] is from /Common/ folder

 

Profile attached to VS is of course from /Common/iapp_name/ folder

 

Even if there is no error in log and everything looks like success when SERVERSSL_CLIENTHELLO_SEND is triggered (used to set SNI) Server SSL profile reported by [PROFILE::serverssl name] is the one attached to VS.

 

When no iApp based VS is used profile switching works without issue.

 

I wonder if this is because new Server SSL should be in the same folder as iApp attached profile, so not in /Common/ but in /Common/iapp_name/?

 

Piotr

 

BIG-IP
devops
iapp
iRules
not common folder
server ssl switch
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Dec 08, 2017

    OK, I was too fast with diagnose :-( After further investigation:

     

    • [PROFILE::serverssl name] - never returns name of profile set via SSL::profile [profile_name] - always returns name of the profile attached to VS - first reason for confusion

       

    • I forgot that BIG-IP has friendliness built in - when all ports are set for VS, Port Translation is disabled without notification - nice except for situations when your intent is different than send traffic without port mods.

       

    So reason I assumed Server SSL profile can't be selected when it's in different folder was completely false :-)

     

    Profile was selected correctly but traffic directed to port 80 on VS was passed to port 80 on backend (even if pool member was reported as IP:443).

     

    After fixing Port Translation issue everything is back to normal :-)

     

    Piotr