For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ReWrite_132188's avatar
ReWrite_132188
Icon for Nimbostratus rankNimbostratus
Aug 31, 2015

Using BIG-IP LTM as a forward proxy, SSL problem!

Hi, I have deployed a F5 BIG-IP with LTM and Forward SSL as a forward proxy.

 

I am using the F5 as a "air-gap" so I can do content inspection with a FireEye and Checkpoint appliance. I am not using the reference design of 2 boxes, but just one, where I forward traffic from one VS to the Checkpoint appliance, and the checkpoint has a new VS as the nexthop in its routing table.

 

The problem I am facing is that some sites won't work using SSL-decryption. Like tyk.io, play.spotifiy.com, docks.docker.com among others.

 

We get the SSL_mismatch error in firefox and Chrome.

 

I have used tcpdump and SSLdump to check the traffic, and it seems like the F5 is doing everything as it should, but still the browsers give me a SSL mismatch error.

 

The F5 is a full-proxy, so what cipher the F5 and the web-server is using should not have any impact on what the clients browser and F5 are using? Or could that be the issue?

 

Anyway, is someone else using the F5 as a forward proxy, and have a mostly working Cipher string to use on the VS that are communicating with internet?

 

application delivery
availability
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
performance
security

5 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 31, 2015

    I'm not entirely sure about spotify, unless you're just spelling it incorrectly (play.spotifiy.com), but the other two sites require SNI (server name indication), which is not yet functional in the air gap config. Support for that is forthcoming.

     

  • ReWrite_132188's avatar
    ReWrite_132188
    Icon for Nimbostratus rankNimbostratus
    Aug 31, 2015

    Oh, I got Spotify working. Was a network admin that had blocked UDP/443..

     

    So, without SNI support, there is no way to make the sites work using airgap?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 31, 2015

    There is. I got it working with an iRule patch this morning, but give me a day or two to work out some bugs.

     

    As for tyk.io, SNI is only one of the problems there. That site appears to require ECDHE-ECDSA, and as it happens, ECDSA is the one cipher not currently supported in SSL forward proxy (as of 11.6).

     

  • ReWrite_132188's avatar
    ReWrite_132188
    Icon for Nimbostratus rankNimbostratus
    Sep 01, 2015

    Oh, really? Thats amazing. I was in contact with Support that told me SNI support on Forward Proxy was 2-3 months away, but it would be cool If we could get around it with iRules. :)

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 08, 2015

    Okay, I'm back. 😉

    The following iRule mods are for the SSL Intercept iApp. I see that you may be doing something manual, but you may want to try the iApp since it's doing pretty much the same thing and should be able to support your config. So you'll build the iApp and that'll create two iRules - an ingress iRule and an egress iRule.

    Here's the modified ingress iRule:

    when CLIENT_ACCEPTED {
    HTTP::disable
    SSL::disable clientside
    SSL::disable serverside
    TCP::collect
}
when CLIENT_DATA {  
    binary scan [TCP::payload] c type
    if { ( $type == 23 ) or ( $type == 20 ) } {
        SSL::enable clientside
        SSL::enable serverside
    } elseif { $type == 22 } {
        SSL::enable clientside
        SSL::enable serverside
        HTTP::enable
    } 
    TCP::release    
}
when CLIENTSSL_CLIENTHELLO {
    if { [SSL::extensions exists -type 0] } {
        binary scan [SSL::extensions -type 0] @9a* tls_servername
    }
}
when HTTP_REQUEST {
    if { [info exists tls_servername] } {
        HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:${tls_servername}"
    } else {
        HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:0"
    }
    LB::detach
    SSL::disable serverside

     CHANGE THIS TO REFLECT THE REAL INGRESS (PORT 80) POOL NAME
    pool airgap_ingress_pool_80
}

    And the modified egress iRule:

    when HTTP_REQUEST {
    if { not ( [HTTP::header exists X-Proxy-HTTPS] ) } {
        SSL::disable serverside

         CHAING THIS TO REFLECT THE REAL EGRESS *ANY* POOL NAME
        pool airgap_egress_pool_any
    } else {                   
        if { [lindex [split [HTTP::header X-Proxy-HTTPS] ":"] 1] ne "0" } {
            set servername [lindex [split [HTTP::header X-Proxy-HTTPS] ":"] 1]
        } 
        node [lindex [active_nodes -list airgap_egress_pool_any] 0] [lindex [split [HTTP::header X-Proxy-HTTPS] ":"] 0]
        HTTP::header remove X-Proxy-HTTPS
    }
}
when SERVERSSL_CLIENTHELLO_SEND {   
    if { [info exists servername] } {
        set bin [binary format S1S1S1S1ca* 0 [expr [string length ${servername}] + 5] [expr [string length ${servername}] + 3] 0 [string length ${servername}] ${servername}]   
        SSL::extensions insert $bin
    }   
}

    This iRule specifically supports sending SNI across the inspection gap to the egress re-encryption VIP. It'll make it into the iApp soon. As for tyk.io, this site specifically requires ECDHE-ECDSA, which isn't supported in forward proxy SSL until 11.6 HF5 and 12.0. You'll need to upgrade to one of these versions to support these ciphers.