For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

FMA's avatar
FMA
Icon for Nimbostratus rankNimbostratus
Nov 14, 2017

Standard VIP, TCP:collect, TLS analysys w/o offload

Hello, guys. I have a standard TCP VIP, which is proxying HTTPS application (no SSL offload) where client certificate is requested by back-end server. I need to analyze client certificate on the fly which you know is sent in clear-text to perform some analysys. I saw several posts on DevCentral (the most amazing one is TLS Fingerprinting) and now I have the following concerns.

I'm following the same idea where we are looking for a TLS message of a certain type (ClientCertificate=11 here). In my case, difference with TLS Fingerprinting (if I understand fine) is that ClientHello is always the first packet on the clientside after 3-way handshake (CLIENT_ACCEPTED) which seems quite easy to catch. To have ClientCertificate collected, I managed to build a following iRule

when CLIENT_ACCEPTED {
    set pool_HSL [HSL::open -proto UDP -pool pool_syslog_hsl]
    TCP::collect 
}
when CLIENT_DATA {
     Get the TLS packet type and versions
        binary scan [TCP::payload] cH4Scc7S rtype sslver rlen type somth certlength
        if { ( ${rtype} == 22 ) and ( ${type} == 11 ) } {
             This is a TLS ClientHello message (22 = TLS handshake, 1 = ClientHello)       
            HSL::send $pool_HSL "Received a TLS ClientHello message rtype=${rtype}, type=${type}"                   
    }
    TCP::release
    TCP::collect
}

I'm successfully getting packets containing ClientCertificate logged :

2017 Nov 14 19:24:45,Received a TLS ClientHello message rtype=22, type=11

Recently I got several complaints that sometimes clients hitting this VIP receive timeouts. It turned out, that when a client is opening like ten client-side sessions where certificate is sent for every handshake, there is always one session where clientside 3-way handshake was performed, client-hello sent but F5 didn't send a serverside SYN to backend server which ends up with 300sec timeout and teardown :

10.128.1.5:10970       172.16.3.1:443      any6.any          any6.any           tcp   202   (slot/tmm: 3/5)  none

I doubt that there is a problem where I do not perform TCP:release in a correct way - as you can see every CLIENT_DATA event ends up with TCP:collect, otherwise I'm not able to collect ClientCertificate message.

I'd be very helpful if somebody gives my a piece of advise, it looks like I'm missing something really basic.

Thanks a lot

application delivery
iRules
LTM
No RepliesBe the first to reply