For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 08, 2015

Okay, I'm back. 😉

The following iRule mods are for the SSL Intercept iApp. I see that you may be doing something manual, but you may want to try the iApp since it's doing pretty much the same thing and should be able to support your config. So you'll build the iApp and that'll create two iRules - an ingress iRule and an egress iRule.

Here's the modified ingress iRule:

when CLIENT_ACCEPTED {
    HTTP::disable
    SSL::disable clientside
    SSL::disable serverside
    TCP::collect
}
when CLIENT_DATA {  
    binary scan [TCP::payload] c type
    if { ( $type == 23 ) or ( $type == 20 ) } {
        SSL::enable clientside
        SSL::enable serverside
    } elseif { $type == 22 } {
        SSL::enable clientside
        SSL::enable serverside
        HTTP::enable
    } 
    TCP::release    
}
when CLIENTSSL_CLIENTHELLO {
    if { [SSL::extensions exists -type 0] } {
        binary scan [SSL::extensions -type 0] @9a* tls_servername
    }
}
when HTTP_REQUEST {
    if { [info exists tls_servername] } {
        HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:${tls_servername}"
    } else {
        HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:0"
    }
    LB::detach
    SSL::disable serverside

     CHANGE THIS TO REFLECT THE REAL INGRESS (PORT 80) POOL NAME
    pool airgap_ingress_pool_80
}

And the modified egress iRule:

when HTTP_REQUEST {
    if { not ( [HTTP::header exists X-Proxy-HTTPS] ) } {
        SSL::disable serverside

         CHAING THIS TO REFLECT THE REAL EGRESS *ANY* POOL NAME
        pool airgap_egress_pool_any
    } else {                   
        if { [lindex [split [HTTP::header X-Proxy-HTTPS] ":"] 1] ne "0" } {
            set servername [lindex [split [HTTP::header X-Proxy-HTTPS] ":"] 1]
        } 
        node [lindex [active_nodes -list airgap_egress_pool_any] 0] [lindex [split [HTTP::header X-Proxy-HTTPS] ":"] 0]
        HTTP::header remove X-Proxy-HTTPS
    }
}
when SERVERSSL_CLIENTHELLO_SEND {   
    if { [info exists servername] } {
        set bin [binary format S1S1S1S1ca* 0 [expr [string length ${servername}] + 5] [expr [string length ${servername}] + 3] 0 [string length ${servername}] ${servername}]   
        SSL::extensions insert $bin
    }   
}

This iRule specifically supports sending SNI across the inspection gap to the egress re-encryption VIP. It'll make it into the iApp soon. As for tyk.io, this site specifically requires ECDHE-ECDSA, which isn't supported in forward proxy SSL until 11.6 HF5 and 12.0. You'll need to upgrade to one of these versions to support these ciphers.