Forum Discussion

FMA's avatar
FMA
Icon for Nimbostratus rankNimbostratus
Nov 14, 2017

Standard VIP, TCP:collect, TLS analysys w/o offload

Hello, guys. I have a standard TCP VIP, which is proxying HTTPS application (no SSL offload) where client certificate is requested by back-end server. I need to analyze client certificate on the fly which you know is sent in clear-text to perform some analysys. I saw several posts on DevCentral (the most amazing one is TLS Fingerprinting) and now I have the following concerns.

I'm following the same idea where we are looking for a TLS message of a certain type (ClientCertificate=11 here). In my case, difference with TLS Fingerprinting (if I understand fine) is that ClientHello is always the first packet on the clientside after 3-way handshake (CLIENT_ACCEPTED) which seems quite easy to catch. To have ClientCertificate collected, I managed to build a following iRule

when CLIENT_ACCEPTED {
    set pool_HSL [HSL::open -proto UDP -pool pool_syslog_hsl]
    TCP::collect 
}
when CLIENT_DATA {
     Get the TLS packet type and versions
        binary scan [TCP::payload] cH4Scc7S rtype sslver rlen type somth certlength
        if { ( ${rtype} == 22 ) and ( ${type} == 11 ) } {
             This is a TLS ClientHello message (22 = TLS handshake, 1 = ClientHello)       
            HSL::send $pool_HSL "Received a TLS ClientHello message rtype=${rtype}, type=${type}"                   
    }
    TCP::release
    TCP::collect
}

I'm successfully getting packets containing ClientCertificate logged :

2017 Nov 14 19:24:45,Received a TLS ClientHello message rtype=22, type=11

Recently I got several complaints that sometimes clients hitting this VIP receive timeouts. It turned out, that when a client is opening like ten client-side sessions where certificate is sent for every handshake, there is always one session where clientside 3-way handshake was performed, client-hello sent but F5 didn't send a serverside SYN to backend server which ends up with 300sec timeout and teardown :

10.128.1.5:10970       172.16.3.1:443      any6.any          any6.any           tcp   202   (slot/tmm: 3/5)  none

I doubt that there is a problem where I do not perform TCP:release in a correct way - as you can see every CLIENT_DATA event ends up with TCP:collect, otherwise I'm not able to collect ClientCertificate message.

I'd be very helpful if somebody gives my a piece of advise, it looks like I'm missing something really basic.

Thanks a lot

application delivery
iRules
LTM
No RepliesBe the first to reply