Forum Discussion

irig4u_152672's avatar
irig4u_152672
Icon for Nimbostratus rankNimbostratus
Sep 15, 2014

SSL Handshake failure / Verify irule

I'm trying to Troubleshoot the below Issue.

Application sends an certificate to the LTM (it is set up on https URL to send certificate to ltm to authenticate itself has valid), the below irule is used to authenticate the Client and forward the http request to the Server.

LTM uses clientside ssl to encrypt client side transaction and connection between ltm and server is encrypted with certificate hosted on the Server.

rule abc-ssl-rule {

when CLIENTSSL_HANDSHAKE {

if { [SSL::cert count] > 0 }

{ log "Client cert is OK; releasing HTTP request."

   HTTP::release
}

}

when HTTP_REQUEST {

if { [class match [HTTP::uri] starts_with abc_p_6401-ssl-class] }

{ log "Certificate required for: [HTTP::uri]"

   if { [SSL::cert count] < 1} {

        log "No cert found. Holding HTTP request until a client cert is presented..."

        HTTP::collect
        SSL::session invalidate
        SSL::renegotiate enable
        SSL::authenticate once
        SSL::authenticate depth 9
        SSL::cert mode require
        SSL::renegotiate
        log "SSL renegotiated"
  }
}

}

when HTTP_REQUEST_SEND {

clientside {

   if { [SSL::cert count] > 0 } {

        HTTP::header insert LTM_CLIENT_CERT [X509::whole [SSL::cert 0]]

        log "Client cert forwarded to server"
   }
}

} }

There are 2 different SCenarios observer.

  1. SSL handshake fails after client sends client cipher spec and logs on the LTM . SSL handshake failure FatalError(20).

  2. On other set up ,Reset request is sent after server sends the Change Cipher Spec message is sent thereby closing the TCP connection.

Any ideas , as to what would result in this behaviour.? llet me know if more data required.

application delivery
design
devops
iRules
LTM
management
performance

2 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 16, 2014

    Hmmm, I'm not sure about your logic here. What do you want to do? I'm guessing here;

     

    • CLIENTSSL_HANDSHAKE: If the client presents a cert, log the fact and proceed. If no cert, proceed.
    • HTTP_REQUEST: If a specific URI is requested, check a cert was presented. If not, force renegotiation. If so, proceed.
    • HTTP_REQUEST_SEND: Use clientside context, insert SSL certificate used as a header.

    Not sure why you are using HTTP::collect/release.

     

    Why force renegotiation? If the client didn't present a certificate first time, why would this help?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 16, 2014

    I believe your iRule is essentially correct. Two things:

     

    1. If you remove the iRule, does it work?

       

    2. Do you see any errors in the LTM log with the iRule in place?