Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

iRule to accept client then SSL cert validation

Go to solution
MaxMedov
Cirrostratus
Cirrostratus

‎09-Jan-2023 06:36

Hi everyone 🙂
Please advise the best way to combine an iRule with doing this:
1. Accept only client coming from 1 specific IP
then:
2. For the rest (who are not this specific IP), I want to check SSL CN, for example ABC.COM
3. If it does not contain ABC.COM, reject the connection

The meaning is the source of the 1 client come without the CN and I want to pass over him and check only for the rest

Thanks you!

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Hooni_L
Cirrus
Cirrus

‎12-Jan-2023 20:13

@MaxMedov
I think you can use tcp::collect.

 

refer tcp collect start irule 

when CLIENT_ACCEPTED {
    # DEBUG On/Off : 1/0
    set DEBUG 0

    # disable client/serverside ssl profile by default
    SSL::disable clientside
    #SSL::disable serverside


    if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }

    # run TCP collect to check SNI for bypass before intercept SSL traffic
    # log local0. "run client collect command"
    TCP::collect
    set monitor_id [ after 500 {
        TCP::release
    } ]
}

and you can check the sni, cn, etc... in "when CLIENT_DATA "

View solution in original post

5 REPLIES 5

Go to solution
G-Rob
F5 Employee
F5 Employee

‎10-Jan-2023 09:37

Max,

Check out LTM policies. You may be able to build this logic a bit easier without needing to write a custom iRule.

0 Kudos

Go to solution
MaxMedov
Cirrostratus
Cirrostratus

‎12-Jan-2023 01:58

Hi@G-Rob, from what I know, I can't choose an iRule in LTM Policy for the checking SSL (containing specific CN)
Can I do it in LTM Policy only without an iRule?

0 Kudos

Go to solution
G-Rob
F5 Employee
F5 Employee
In response to MaxMedov

‎18-Jan-2023 09:24

Yes, you can do all of those things. I have not used the SSL Certificate matching, so I would test in your lab before deploying. 

Screen Shot 2023-01-18 at 12.22.42 PM.png

0 Kudos

Go to solution
Hooni_L
Cirrus
Cirrus

‎12-Jan-2023 20:13

@MaxMedov
I think you can use tcp::collect.

 

refer tcp collect start irule 

when CLIENT_ACCEPTED {
    # DEBUG On/Off : 1/0
    set DEBUG 0

    # disable client/serverside ssl profile by default
    SSL::disable clientside
    #SSL::disable serverside


    if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }

    # run TCP collect to check SNI for bypass before intercept SSL traffic
    # log local0. "run client collect command"
    TCP::collect
    set monitor_id [ after 500 {
        TCP::release
    } ]
}

and you can check the sni, cn, etc... in "when CLIENT_DATA "

Go to solution
Leslie_Hubertus
Community Manager
Community Manager
In response to Hooni_L

‎17-Jan-2023 17:19

@MaxMedov did @Hooni_L's solution work for you? If yes, can you please click the Accept as Solution button under their post? That way future users with the same challenge can easily find the answer. Thanks!

0 Kudos
Copyright © 2023 Khoros, LLC