Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

iRule to accept client then SSL cert validation

MaxMedov
Cirrus
Cirrus

Hi everyone 🙂
Please advise the best way to combine an iRule with doing this:
1. Accept only client coming from 1 specific IP
then:
2. For the rest (who are not this specific IP), I want to check SSL CN, for example ABC.COM
3. If it does not contain ABC.COM, reject the connection

The meaning is the source of the 1 client come without the CN and I want to pass over him and check only for the rest

Thanks you!

1 ACCEPTED SOLUTION

Hooni_L
Cirrus
Cirrus

@MaxMedov
I think you can use tcp::collect.

 

refer tcp collect start irule 

when CLIENT_ACCEPTED {
    # DEBUG On/Off : 1/0
    set DEBUG 0

    # disable client/serverside ssl profile by default
    SSL::disable clientside
    #SSL::disable serverside


    if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }

    # run TCP collect to check SNI for bypass before intercept SSL traffic
    # log local0. "run client collect command"
    TCP::collect
    set monitor_id [ after 500 {
        TCP::release
    } ]
}

and you can check the sni, cn, etc... in "when CLIENT_DATA "

View solution in original post

5 REPLIES 5

G-Rob
F5 Employee
F5 Employee

Max,

Check out LTM policies. You may be able to build this logic a bit easier without needing to write a custom iRule.

MaxMedov
Cirrus
Cirrus

Hi@G-Rob, from what I know, I can't choose an iRule in LTM Policy for the checking SSL (containing specific CN)
Can I do it in LTM Policy only without an iRule?

Yes, you can do all of those things. I have not used the SSL Certificate matching, so I would test in your lab before deploying. 

Screen Shot 2023-01-18 at 12.22.42 PM.png

Hooni_L
Cirrus
Cirrus

@MaxMedov
I think you can use tcp::collect.

 

refer tcp collect start irule 

when CLIENT_ACCEPTED {
    # DEBUG On/Off : 1/0
    set DEBUG 0

    # disable client/serverside ssl profile by default
    SSL::disable clientside
    #SSL::disable serverside


    if { $DEBUG || [class match -name -- [IP::client_addr] equals debug_ip ] ne "" } { #log local0. "flow is - [IP::remote_addr] -> [IP::local_addr]" }

    # run TCP collect to check SNI for bypass before intercept SSL traffic
    # log local0. "run client collect command"
    TCP::collect
    set monitor_id [ after 500 {
        TCP::release
    } ]
}

and you can check the sni, cn, etc... in "when CLIENT_DATA "

@MaxMedov did @Hooni_L's solution work for you? If yes, can you please click the Accept as Solution button under their post? That way future users with the same challenge can easily find the answer. Thanks!