Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

How do I do I obtain the TLS Finished struct in an iRule?

In an iRule, how do I obtain the Finished struct in the first TLS Finished message sent in the most recent TLS handshake of the TLS connection?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can use this:

when CLIENT_ACCEPTED {        
    TCP::collect
    set default_pool [LB::server pool]
}
when CLIENT_DATA {
    # Store TCP Payload up to 2^14 + 5 bytes (Handshake length is up to 2^14)
    set payload [TCP::payload 16389]

    # If valid TLS 1.X CLIENT_HELLO handshake packet
    if { [binary scan $payload cH4x2c tls_record_content_type tls_version tls_handshake_action] == 3 && \
        ($tls_record_content_type == 22) && \
        ([string match {030[1-3]} $tls_version])} { 
            switch $tls_handshake_action {
                1 - 12 - 16 {
                    # Valid Handshake message collect until Finished
                    TCP::release
                    TCP::collect
                    return
                }
                20 {
                    binary scan $payload H* MESSAGE
                    log local0. "Finished Message : MESSAGE"
                    TCP::release
                    return
                }
                default {
                    log local0. "unknown Message ID $tls_handshake_action"
                    TCP::release
                    return
                }
            }
    }
    TCP::release
}
1
Comments on this Answer
Comment made 1 month ago by rossmpersonal 54

Thank you so much for responding. But what you provided does not allow me to go deep enough to inspect the TLS messages exchanged to obtain the TLS Finished struct. In fact, what you provided seems to indicate that what I am trying to do might not be possible. I am not sure. However, I would like to confirm that it is not possible prior to declaring defeat.

0