Forum Discussion
CirrostratusSSL Inspection Bypass
Hi,
Im in the process of setting up SSL inspection on browsing traffic for a client. I have been using F5's deployment guide (https://www.f5.com/pdf/deployment-guides/ssl-intercept-dg.pdf) to set this up and for the most part is working.
However when I apply the specified iRule from the deployment guide to bypass certain URL categories for inspection, HTTPS browsing fails baring those which are being bypassed.
Example's... When I hit https://www.hsbc.co.uk with the below iRule applied to my Wildcard VS, I am presented with HSBC's cert as you would expect. But going to https://www.reddit.com bombs out completely. HTTP browsing is fine. If I removed the iRule, inspection works perfectly to every HTTPS site but obviously I dont want to be inspecting everything. Also without the iRule HTTP browsing bombs.
Any ideas?
when RULE_INIT {
set static::airgap_ssl_bypass_categories {
you can add or remove Categories. See Access Policy - Secure Web Gateway - URL Categories for a list of options
/Common/Financial_Data_and_Services
/Common/Health
/Common/Facebook_Chat
}
}
when CLIENT_ACCEPTED {
HTTP::disable
SSL::disable clientside
SSL::disable serverside
TCP::collect
}
when CLIENT_DATA {
binary scan [TCP::payload] c type
if { ( $type == 23 ) or ( $type == 20 ) } {
SSL::enable clientside
SSL::enable serverside
} elseif { $type == 22 } {
SSL::enable clientside
SSL::enable serverside
HTTP::enable
}
TCP::release
}
when CLIENTSSL_CLIENTHELLO {
set sni_exists [SSL::extensions exists -type 0]
if { $sni_exists } {
binary scan [SSL::extensions -type 0] S1S1S1cS1a* ssl_ext_type ssl_ext_len ssl_ext_sn_list_len ssl_ext_sn_type ssl_ext_sn_len ssl_ext_sn
}
}
when SERVERSSL_HANDSHAKE {
if { not $sni_exists } {
set ssl_bypass_mitm 0
set subject [X509::subject [SSL::cert 0]]
regexp {CN=(.*?),} $subject fullcn subcn
if { [info exists subcn] } {
set this_uri "http://$subcn/"
set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
set ssl_bypass_mitm 1
} else {
set ssl_bypass_mitm 0
}
} else {
regexp {CN=(.*?)$} $subject fullcn subcn
if { [info exists subcn] } {
set this_uri "http://$subcn/"
set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
set ssl_bypass_mitm 1
} else {
set ssl_bypass_mitm 0
}
} else {
set ssl_bypass_mitm 0
}
}
}
}
when CLIENTSSL_SERVERHELLO_SEND {
if { not [info exists ssl_bypass_mitm] && [info exists ssl_ext_sn] } {
set this_uri "http://$ssl_ext_sn/"
set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
set ssl_bypass_mitm 1
} else {
set ssl_bypass_mitm 0
}
}
if { [info exists ssl_bypass_mitm] } {
if { $ssl_bypass_mitm } {
SSL::forward_proxy policy bypass
catch { HTTP::disable }
} else {
SSL::forward_proxy policy intercept
}
} else {
}
}
when SERVER_CONNECTED {
if { [info exists ssl_bypass_mitm] } {
if { $ssl_bypass_mitm } {
catch { HTTP::disable }
}
}
}
when HTTP_REQUEST {
if { [info exists ssl_ext_sn] } {
HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:${ssl_ext_sn}"
} else {
HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:0"
}
LB::detach
SSL::disable serverside
pool Internet_Gateways
}
12 Replies
Yann_Desmarest_Nacreous
Hello,
Why not just set up an SSL forward proxy configuration and apply a specific SSL profile for that :
You can also define a bypass list within the SSL profile directly
shopkeeper56_23That method would require that I manually input every site/hostname that I would like to bypass. The intention here is to use URL DB Categories from the SWG to determine which sites should be bypassed (see the F5 documentation I linked). And as mentioned in my post, the bypassing isnt the issue here. The fact is that the above iRule which is supplied by F5 verbatim as part of their deployment guide is for some reason bombing out non-bypassed HTTPS connections.- Yann_Desmarest_Are you sure that a "non-bypassed" connection hit the following command within the irule : SSL::forward_proxy policy intercept Did you add some logs in the irule to check the path used for those failing connections ?
- shopkeeper56_23I did not add anything to the iRule. It's taken verbatim from F5's documentation baring changes to pool information. How would I log that to be sure?
Yann_DesmarestCirrus
Hello,
Why not just set up an SSL forward proxy configuration and apply a specific SSL profile for that :
You can also define a bypass list within the SSL profile directly
- shopkeeper56_23That method would require that I manually input every site/hostname that I would like to bypass. The intention here is to use URL DB Categories from the SWG to determine which sites should be bypassed (see the F5 documentation I linked). And as mentioned in my post, the bypassing isnt the issue here. The fact is that the above iRule which is supplied by F5 verbatim as part of their deployment guide is for some reason bombing out non-bypassed HTTPS connections.
- Yann_DesmarestAre you sure that a "non-bypassed" connection hit the following command within the irule : SSL::forward_proxy policy intercept Did you add some logs in the irule to check the path used for those failing connections ?
- shopkeeper56_23I did not add anything to the iRule. It's taken verbatim from F5's documentation baring changes to pool information. How would I log that to be sure?
