Forum Discussion

Nimbostratus

Jan 08, 2013

Unable to send SSL response to client

Hi,

This is my first post on this forum and before doing so, I have tried to read as much as possible to find other posts with a similar issues. Unfortunately there isn't anything out there that exactly fits my issue.

As mentioned in the "Handling Client Certificates" post in 2010, I'm trying to implement SSL re-encryption (https://devcentral.f5.com/tech-tips/articles/persisting-ssl-connections) - i.e. Client->SSL->Big-IP->SSL->application server

I've configured both a custom client SSL profile and a custom server SSL profile, and assigned them to my virtual server. The client SSL profile is configured with a CA signed certificate and the server SSL profile is configured with a BIG-IP self signed certificate. I have an iRule assigned to this virtual server which simply logs the request from the client, and the response from the server. The client SSL profile is set to its default value i.e. to ignore the client certificate.

When attempting to access the backend server at https://example.com, the client's SSL request is decrypted on the BIG-IP and in turn my iRule is invoked as expected. The request is then re-encrypted and sent to the virtual server, which in turn responds appropriately. My iRule is correctly invoked here to shows the decrypted response I've received from the server.

However, it's at this point that something goes wrong. The response is never sent back to the client for some reason and I can't work out why.

Any help would be greatly appreciated.

I've tried adding SSL::respond [HTTP::payload] into the iRule to send the response back to the client when it is received from the virtual server but I simply get a error saying "Error: SSL hudfilter not reached or not in chain". TBH I don't think I need this as BIG-IP should do this out of the box in this configuration.

Thank you in advance.

Btw, I should have said that the version of BIG-IP we have is 10.1.0

Here's my iRule:

when RULE_INIT {

set reject_provisioning_page {

404 - Page Not Found.

}

when HTTP_REQUEST {

if { [matchclass [HTTP::uri] starts_with $::MyValidUris] } {

log "Request received from client: [IP::client_addr]"

log "Request content: [HTTP::method] [HTTP::uri]"

} else {

log "Responding with error as the request's URI is not in the list of valid URIs"

HTTP::respond 404 content [subst $::my_reject_page]

}

when HTTP_RESPONSE {

log "[HTTP::status] response received from server: [IP::server_addr]"

log "Response Payload: [HTTP::payload]"

}

12 Replies

nitass
Employee
Jan 08, 2013
However, it's at this point that something goes wrong. The response is never sent back to the client for some reason and I can't work out why.do you mean if user does not see web page content (in browser)? or do you mean if HTTP::payload returns blank in the irule?

if it is latter one (HTTP::payload), i understand it is expected because i do not see HTTP::collect in the irule.

HTTP::payload Wiki

https://devcentral.f5.com/wiki/irules.HTTP__payload.ashx
smedakkar_85975
Nimbostratus
Jan 08, 2013
Thanks for replying so soon. I meant that the user does not see the web page in their browser. After it failed in this way, I tried by adding HTTP::payload ... which also failed.

I'd prefer to get it working without the HTTP::payload in the iRule, but if that's the only way it should work, then that's fine with me.
smedakkar_85975
Nimbostratus
Jan 08, 2013
I've updated the iRule based on your comments ...

when HTTP_RESPONSE {

HTTP::collect [HTTP::header Content-Length]

}

when HTTP_RESPONSE_DATA {

log "Response content Length [HTTP::header Content-Length]"

log "[HTTP::status] response received from server: [IP::server_addr]"

log "Response Payload: [HTTP::payload]"

SSL::respond [HTTP::payload]

}

... and it now fails with the following error: Error: SSL hudfilter not reached or not in chain (line 1) invoked from within "SSL::respond [HTTP::payload]"
What_Lies_Bene1
Cirrostratus
Jan 08, 2013
Just going back to basics here, surely you shouldn't have to use an iRule to send the response at all right? I'd investigate that issue first. Also, if you have SSL::respond specified in the HTTP_RESPONSE_DATA event, surely it's a bit too late.
smedakkar_85975
Nimbostratus
Jan 08, 2013
Agreed - I don't believe I need an iRule for this either. I'm only trying to use it because without it, I couldn't get the response received from the server to go back to the client in order to show the page in the browser.
nitass
Employee
Jan 08, 2013
Thanks for replying so soon. I meant that the user does not see the web page in their browser. After it failed in this way, I tried by adding HTTP::payload ... which also failed. even using HTTP::payload without HTTP::collect, it would not cause not seeing web page in browser. have you tried to remove the irule and see whether it works?

additionally, have you tried to use default clientssl and serverssl profile? since you do not do client certificate authentication, i do not think you need ca setting in clientssl profile. for serverssl profile, if server does not perform client certificate authentication, i do not think you need certificate and private key setting in serverssl profile too.

nitass

Employee

Jan 08, 2013

this is just an example configuration based on the codeshare below.

HTTP Payload Collection by Deb

https://devcentral.f5.com/wiki/irules.httppayloadcollection.ashx

[root@ve10:Active] config  b virtual bar443 list
virtual bar443 {
   snat automap
   pool foo
   destination 172.28.19.252:443
   ip protocol 6
   rules myrule
   profiles {
      clientssl {
         clientside
      }
      http {}
      serverssl {
         serverside
      }
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:443 {}
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when RULE_INIT {
  set static::my_reject_page { page not found }
}

when HTTP_REQUEST {
  if { [class match -- [HTTP::uri] starts_with MyValidUris] } {
    log local0. "Request received from client: [IP::client_addr]"
    log local0. "Request content: [HTTP::method] [HTTP::uri]"
    if { [HTTP::version] eq "1.1" } {
      if { [HTTP::header is_keepalive] } {
        HTTP::header replace "Connection" "Keep-Alive"
      }
      HTTP::version "1.0"
    }
  } else {
    log local0. "Responding with error as the request's URI is not in the list of valid URIs"
    HTTP::respond 200 content $static::my_reject_page
  }
}

when HTTP_RESPONSE {
  log local0. "[HTTP::status] response received from server: [IP::server_addr]"
  if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] < 1048577 } {
    set content_length [HTTP::header "Content-Length"]
  } else {
    set content_length 1048576
  }
  log local0.info "Content Length: $content_length"
  if { $content_length > 0 } {
     HTTP::collect $content_length
  }
}

when HTTP_RESPONSE_DATA {
  log local0. "Response Payload: [HTTP::payload]"
  HTTP::release
}
}
[root@ve10:Active] config  b class MyValidUris list
class MyValidUris {
   "/valid"
}

[root@ve10:Active] config  tail -f /var/log/ltm
Jan  9 00:54:45 local/tmm info tmm[4884]: Rule myrule : Request received from client: 172.18.205.12
Jan  9 00:54:45 local/tmm info tmm[4884]: Rule myrule : Request content: GET /valid/index.html
Jan  9 00:54:45 local/tmm info tmm[4884]: Rule myrule : 200 response received from server: 200.200.200.101
Jan  9 00:54:45 local/tmm info tmm[4884]: Rule myrule : Content Length: 89
Jan  9 00:54:45 local/tmm info tmm[4884]: Rule myrule : Response Payload:    This is 101 host.

Kevin_Stewart
Employee
Jan 08, 2013
If I may add, try removing the iRule entirely to make sure the basic pass-through configuration works.
smedakkar_85975
Nimbostratus
Jan 08, 2013
Initially I didn't have an iRule, which resulted in the client's browser not displaying the page returned from the server. So I thought I'd add an iRule into the mix just to see what what was going on. As you can see, the iRule simply logs when the client's request is decrypted and then logs again when the server's response is decrypted. This works fine and confirms that the client-side SSL is being terminated on the BIG-IP and then another server-side SSL is being established to the virtual server.

Without the client and server profiles defined, just as you said, I can get SSL passthrough working, but unfortunately that's not the configuration I need to implement. My requirement is to have the client SSL terminated on the BIG-IP and re-encrypted between it and the server. The server offers up a CA signed certificate, which I've used to configure a custom client side SSL profile with. And I've got a self signed certificate on the server SSL profile to use to re-encrypt the request on the server-side.

I though I could make it work using an iRule ... but as you can see - no :-( I'm sure I've missed something but I just can't see what it is.
smedakkar_85975
Nimbostratus
Jan 08, 2013
Nitass - I forgot to thank you for posting your code share. Just as in your output, I too see the HTML code returned from the server, but this is what never gets back to the client.

Forum Discussion

Unable to send SSL response to client

12 Replies

Recent Discussions

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Related Content

Introduction of Incident Response

FIX Message Response

Enhance your Application Security using Client-side signals

Logging of DNS Requests and Responses without a DNS license

unable create service case in my.f5.com