Forum Discussion

Ken-Dawg's avatar
Ken-Dawg
Icon for Nimbostratus rankNimbostratus
Sep 22, 2022

what's wrong with my syntax in this iRule?

I want to write and iRule to key on a source IP and log the pre-shared master keys:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
when CLIENTSSL_HANDSHAKE {
log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
}
when SERVERSSL_HANDSHAKE {
log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
}
}

application delivery
devops
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Sep 22, 2022

    Can't have iRule events nested inside other events.

     

    when CLIENTSSL_HANDSHAKE {
    if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
        log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
    }
}

when SERVERSSL_HANDSHAKE {
    if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
        log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
    }
}

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Sep 22, 2022

    Just do this in the server side event to see what the client IP is:

    when SERVERSSL_HANDSHAKE {
    log local0. "client IP: [IP::client_addr]"
    if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
        log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
    }
}
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 22, 2022

    Can't have iRule events nested inside other events.

     

    when CLIENTSSL_HANDSHAKE {
    if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
        log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
    }
}

when SERVERSSL_HANDSHAKE {
    if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
        log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
    }
}

     

    • Ken-Dawg's avatar
      Ken-Dawg
      Icon for Nimbostratus rankNimbostratus
      Sep 22, 2022

      Thank you so much Kevin, although for my SERVERSSL_HANDSHAKE i think i should use my self IP? Unless the iRule only looks at the cs-client-addr?

      • Kevin_Stewart's avatar
        Kevin_Stewart
        Icon for Employee rankEmployee
        Sep 22, 2022

        You're saying, if the client source address is 10.10.10.10, log the client side session-id and server side session-id.

        [IP::client_addr] is still the client source, even on the server side.