Forum Discussion

garfield831_116's avatar
garfield831_116
Icon for Nimbostratus rankNimbostratus
Mar 07, 2013

SSL persistent& resumption - why doesnt work

Hi All,     It's my first post here   I have project where client connect to server through F5   F5 makes decryption, WAF and then re-encryption and send traffic to one of node   Our...
application delivery
dev
devops
iRules
garfield831_116's avatar
garfield831_116
Icon for Nimbostratus rankNimbostratus
Mar 08, 2013
I changed some names and IPs to xxxx

 

 

ltm rule /Common/insert_ssl_session_id {

 

when CLIENTSSL_CLIENTCERT {

 

set cert [SSL::cert 0]

 

set sn [X509::serial_number $cert]

 

set subject [X509::subject $cert]

 

set issuer [X509::issuer $cert]

 

set version [X509::version $cert]

 

session add uie [SSL::sessionid] [list $sn $issuer $subject $version] 1800

 

}

 

 

when HTTP_REQUEST {

 

if { [SSL::cert count] < 1 } {

 

SSL::authenticate once

 

SSL::authenticate depth 9

 

SSL::cert mode request

 

SSL::renegotiate

 

} else {

 

set values [session lookup uie [SSL::sessionid] ]

 

if { [lindex $values 0] != "" } {

 

HTTP::header insert XClientSSL_Serial [lindex $values 0]

 

log local0. "Inserting Serial [lindex $values 0]"

 

 

HTTP::header insert XClientSSL_Issuer [lindex $values 1]

 

log local0. "Inserting Issuer [lindex $values 1]"

 

 

HTTP::header insert XClientSSL_Subject [lindex $values 2]

 

log local0. "Inserting Subject [lindex $values 2]"

 

 

HTTP::header insert XVersion [lindex $values 3]

 

log local0. "Inserting Version [lindex $values 3]"

 

}

 

}

 

}

 

}

 

 

 

ltm virtual /Common/xxxx_VS_y.y.y.y {

 

destination /Common/y.y.y.y:443

 

http-class {

 

/Common/xxxx

 

}

 

ip-protocol tcp

 

mask 255.255.255.255

 

pool /Common/xxxx_NET_POOL

 

profiles {

 

/Common/xxxx_TCP_profile { }

 

/Common/xxxx {

 

context clientside

 

}

 

/Common/xxxxx {

 

context serverside

 

}

 

/Common/http_x_forwarded_for { }

 

}

 

rules {

 

/Common/insert_ssl_session_id

 

}

 

snat automap

 

translate-address enabled

 

translate-port enabled

 

vlans {

 

/Common/xxx

 

}

 

vlans-enabled

 

}

 

ltm profile client-ssl /Common/xxxxx_client {

 

app-service none

 

cert /Common/xxxxx_cert.crt

 

defaults-from /Common/clientssl

 

key /Common/xxxxx_cert.key

 

options { no-session-resumption-on-renegotiation }

 

renegotiate-max-record-delay 100

 

renegotiate-period indefinite

 

renegotiate-size indefinite

 

renegotiation enabled

 

secure-renegotiation request

 

}