Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

behavior of SSL::disable serverside

Go to solution
Mike757
MVP
MVP

‎11-Feb-2023 01:27

Hello!

I've configured an https virtual server, with an associated iRule that chooses the server pool according to the URI.

The only unusual thing is that some of the pools have SSL servers and others use plain HTTP. Due to that, along with the 'pool' instruction I have also inserted a SSL::disable statement. Both client- and server-side SSL profiles are configured in the virtual server.

Tests have shown that traffic works fine. However, the ltm log is full of messages like this:

tmm[22695]: 01260009:4: 10.x.x.11%2:9090 -> 10.x.x.10%2:64337: Connection error: ssl_null_parse:3708: alert(10) invalid record type
tmm[22695]: 01260013:4: SSL Handshake failed for TCP 10.x.x.11%2:9090 -> 10.x.x.10%2:64337

I can show a sample of the iRule section that performs the pool choice, it's a 'switch' statement that looks like this:

 

switch -glob [string tolower [HTTP::uri]] {
    "/path1/*" {
        pool POOL-path1
        persist cookie insert cookie1
    }
    "/path2/*" {
        pool POOL-path2
        persist cookie insert cookie2
    }
    "/path3/*" {
        SSL::disable serverside
        pool POOL-path3
    }
}

 

That "10.x.x.11%2:9090" in the log line is a pool member from POOL-path3, no doubts whatsoever.

The message makes it look like SSL is not being disabled - not at first - but the fact that the client receives content from /path3 is more than enough proof that SSL was disabled at some point. So how do I get this to work as expected? (with the benefit of cleaning my ltm log...) I haven't found any relevant information on KB articles or devcentral posts.

There is one devcentral post - https://community.f5.com/t5/technical-forum/ssl-disable-serverside/m-p/207774 - with a similar request. The proposed answer was never validated, but it's the same as my recipe above, except for the logging line. Anyway, I don't have a problem with the iRule not working... I have a problem with filling the log with trash, and possibly a performance issue if this goes into production as it is.

/Mike

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
xuwen
MVP
MVP

‎11-Feb-2023 02:07 - edited ‎11-Feb-2023 22:37

Better give the config of list ltm virtual xxx and serverside tcpdump to watch whether F5 send clienthello to this pool member

modify this iRules to test:

 

 

when HTTP_REQUEST {
  set usessl 0
  switch -glob [string tolower [HTTP::uri]] {
    "/path1/*" {
        set usessl 1
        pool POOL-path1
        persist cookie insert cookie1
    }
    "/path2/*" {
        set usessl 1
        pool POOL-path2
        persist cookie insert cookie2
    }
    "/path3/*" {
        set usessl 0
        # SSL::disable serverside
        pool POOL-path3
    }
    default {
     set usessl 1
    }
 }
}
when SERVER_CONNECTED {
  log local0. "usessl value is $usessl"
  if { $usessl == 0 } {
    SSL::disable
  }
}

 

 

 

View solution in original post

6 REPLIES 6

Go to solution
xuwen
MVP
MVP

‎11-Feb-2023 02:07 - edited ‎11-Feb-2023 22:37

Better give the config of list ltm virtual xxx and serverside tcpdump to watch whether F5 send clienthello to this pool member

modify this iRules to test:

 

 

when HTTP_REQUEST {
  set usessl 0
  switch -glob [string tolower [HTTP::uri]] {
    "/path1/*" {
        set usessl 1
        pool POOL-path1
        persist cookie insert cookie1
    }
    "/path2/*" {
        set usessl 1
        pool POOL-path2
        persist cookie insert cookie2
    }
    "/path3/*" {
        set usessl 0
        # SSL::disable serverside
        pool POOL-path3
    }
    default {
     set usessl 1
    }
 }
}
when SERVER_CONNECTED {
  log local0. "usessl value is $usessl"
  if { $usessl == 0 } {
    SSL::disable
  }
}

 

 

 

Go to solution
Mike757
MVP
MVP

‎11-Feb-2023 08:06 - edited ‎11-Feb-2023 08:14

Hi xuwen,

and thanks for the answer. I can indeed share my VS config (below) but it probably will take a little while to get a tcpdump (no remote access to customer).

 

ltm virtual /Common/VS-wwwq-443 {
  description "VIP https://wwwq.xxxxxxx"
  destination /Common/10.x.x.12%2:443
  ip-protocol tcp
  mask 255.255.255.255
  profiles {
    /Common/HTTP-wwwq { }
    /Common/SSL-C-wwwq {
      context clientside
    }
    /Common/serverssl {
      context serverside
    }
    /Common/tcp-lan-optimized { }
  }
  serverssl-use-sni disabled
  source 0.0.0.0%2/0
  source-address-translation {
    type automap
  }
  rules {
    IRULE-wwwq-443
  }
  translate-address enabled
  translate-port enabled
  vlans {
    /Common/VLAN-1319
  }
  vlans-enabled
}

I can also try some iRule logging, but wouldn't the SSL::disable command, without the serverside option, try to disable SSL also from clientside?

[Edit]

Just took a closer look at https://clouddocs.f5.com/api/irules/SSL__disable.html, and I see your point. Will try to test this ASAP... which might mean next Monday.

/Mike

0 Kudos

Go to solution
xuwen
MVP
MVP
In response to Mike757

‎11-Feb-2023 08:45

your iRules and vs config look normal,iRules Home SSL::disable says:

Disables SSL processing on one side of the LTM. Sends an SSL alert to the peer requesting termination of SSL processing

is F5 send SSL alert packet on the serverside to the pool member cause this scene?

so,you need to tcpdump in serverside watch whether F5 send ClientHello or SSL alert to the http pool member

0 Kudos

Go to solution
Mike757
MVP
MVP
In response to xuwen

‎11-Feb-2023 19:04

xuwen, you're the man!

Improved iRule worked like a charm. And yes, before the changes I saw the attempt of SSL handshake with the server.

/Mike

0 Kudos

Go to solution
xuwen
MVP
MVP
In response to Mike757

‎11-Feb-2023 19:34

Because SSL:: disable describes that it will send an ssl alert message to the peer, and I'm not sure because I did not experiment with VE. 

In short, iRules Home should simply describe the scope of use of the function, and BIGIP VE should do the experiment for the specific details. In the previous few days [TCP:: option get 28], someone directly copied the example Code displayed by CLIENT_ACCEPTED event, cause [string length [TCP::option get 28] value is 0,  Let Akamai capture packets. Akamai truely carry the tcp option 28 field, Finally, take VE to test and find that this situation should be CLIENT_DATA event use [TCP::option get 28] and not in CLIENT_ACCEPTED event

iRules Event flow order display SSL::disable should be in CLIENT_ACCEPTED or SERVER_CONNECTED event

Here is the link to the iRule Events flow order

https://clouddocs.f5.com/training/community/irules/html/class1/module1/iRuleEventsFlowHTTPS.html 

0 Kudos

Go to solution
P_Kueppers
MVP
MVP

‎12-Apr-2023 07:40

Even here is a approved solution, I only want to mention that LTM Policys will do this just fine. I always use ltm policys over irules and only use irules for things ltm policy cant do. So if you dont want to hassle with irules, just create a ltm policy 🙂 

0 Kudos
Copyright © 2023 Khoros, LLC