Forum Discussion

MaxMedov's avatar
MaxMedov
Icon for Cirrostratus rankCirrostratus
Jan 09, 2023
Solved

iRule to accept client then SSL cert validation

Hi everyone 🙂
Please advise the best way to combine an iRule with doing this:
1. Accept only client coming from 1 specific IP
then:
2. For the rest (who are not this specific IP), I want to check SSL CN, for example ABC.COM
3. If it does not contain ABC.COM, reject the connection

The meaning is the source of the 1 client come without the CN and I want to pass over him and check only for the rest

Thanks you!

devops
  • Hooni_L's avatar
    Hooni_L
    Jan 13, 2023

    MaxMedov
    I think you can use tcp::collect.

     

    refer tcp collect start irule 

    when CLIENT_ACCEPTED {
    # DEBUG On/Off : 1/0
    set DEBUG 0

    # disable client/serverside ssl profile by default
    SSL::disable clientside
    #SSL::disable serverside


    if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }

    # run TCP collect to check SNI for bypass before intercept SSL traffic
    # log local0. "run client collect command"
    TCP::collect
    set monitor_id [ after 500 {
        TCP::release
    } ]
}

    and you can check the sni, cn, etc... in "when CLIENT_DATA "

5 Replies

Sort By
  • Hooni_L's avatar
    Hooni_L
    Icon for Cirrus rankCirrus
    Jan 13, 2023

    MaxMedov
    I think you can use tcp::collect.

     

    refer tcp collect start irule 

    when CLIENT_ACCEPTED {
    # DEBUG On/Off : 1/0
    set DEBUG 0

    # disable client/serverside ssl profile by default
    SSL::disable clientside
    #SSL::disable serverside


    if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }

    # run TCP collect to check SNI for bypass before intercept SSL traffic
    # log local0. "run client collect command"
    TCP::collect
    set monitor_id [ after 500 {
        TCP::release
    } ]
}

    and you can check the sni, cn, etc... in "when CLIENT_DATA "

    • Leslie_Hubertus's avatar
      Leslie_Hubertus
      Ret. Employee
      Jan 18, 2023

      MaxMedov did Hooni_L's solution work for you? If yes, can you please click the Accept as Solution button under their post? That way future users with the same challenge can easily find the answer. Thanks!

  • G-Rob's avatar
    G-Rob
    Icon for Employee rankEmployee
    Jan 10, 2023

    Max,

    Check out LTM policies. You may be able to build this logic a bit easier without needing to write a custom iRule.

  • MaxMedov's avatar
    MaxMedov
    Icon for Cirrostratus rankCirrostratus
    Jan 12, 2023

    HiG-Rob, from what I know, I can't choose an iRule in LTM Policy for the checking SSL (containing specific CN)
    Can I do it in LTM Policy only without an iRule?

    • G-Rob's avatar
      G-Rob
      Icon for Employee rankEmployee
      Jan 18, 2023

      Yes, you can do all of those things. I have not used the SSL Certificate matching, so I would test in your lab before deploying.