Forum Discussion

Koragg332's avatar
Koragg332
Icon for Altostratus rankAltostratus
May 24, 2022
Solved

Capture SSL handshae failure via iRule

Hello all.
I would like to ask for help when building iRule for SSL. We are in migration of our service from RSA to ECDSA cipher suite (because of security findings) and I need to log following via iRule:
-- client IP and destination URL
-- and choosed cipher when successful handshake
-- or provide an error for handshake failure in case there is no matching cipher

So far, I have following simple iRule:

 

when FLOW_INIT {
    log local0. "S: [IP::client_addr] starting session ..."
}

when HTTP_REQUEST { 
    log local0. "S: [IP::client_addr] --> [HTTP::host], cipher [SSL::cipher name]" 
}

 

Via it, I'm able to catch start of session and the first 2 points.
Example:

 

May 24 13:53:30 lb-test01 info tmm1[19834]: Rule /DMZPCI/IRULE_SSL_cipher_show <FLOW_INIT>: S: 192.168.22.51%2 starting session
May 24 13:53:30 lb-test01 info tmm1[19834]: Rule /DMZPCI/IRULE_SSL_cipher_show <HTTP_REQUEST>: S: 192.168.22.51%2 --> shop.test-domain.com, cipher ECDHE-RSA-AES128-GCM-SHA256

 


However, when the failure occurs, I can get only start of session and if I need to check for SSL result, I need to grep the source IP:

 

# tail -f /var/log/ltm | grep 192.168.22.51
May 24 13:54:33 lb-test01 info tmm1[19834]: Rule /DMZPCI/IRULE_SSL_cipher_show <FLOW_INIT>: S: 192.168.22.51%2 starting session
May 24 13:54:33 lb-test01 warning tmm1[19834]: 01260009:4: 192.168.22.51%2:62236 -> 192.168.22.103%2:443: Connection error: ssl_select_suite:10065: alert(40) no shared ciphers
May 24 13:54:33 lb-test01 warning tmm1[19834]: 01260026:4: No shared ciphers between SSL peers 192.168.22.51.62236:192.168.22.103.443.
May 24 13:54:33 lb-test01 warning tmm1[19834]: 01260013:4: SSL Handshake failed for TCP 192.168.22.51%2:62236 -> 192.168.22.103%2:443

 


My question -- in iRule, is it possible to catch also the failure and log it, so I don't need to look for it manually (it is public service, meaning there are hundreds of connections every minute).

Thank you very much.

Best Regards
Michal

  • For those, who will try find something similar, this is not possible.

    The SSLcommunication will not start from server (LB) side.
    Only the client will try to establish session, but LB will not answer.

    Maaaybe it is possible via capturing TCP packets and somehow decode ... but this is not something I need to play with.

    Bye.

1 Reply

  • For those, who will try find something similar, this is not possible.

    The SSLcommunication will not start from server (LB) side.
    Only the client will try to establish session, but LB will not answer.

    Maaaybe it is possible via capturing TCP packets and somehow decode ... but this is not something I need to play with.

    Bye.