Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

issues capturing client and server side SSL handshake (only TCP profile on VIP)

Hi, im trying to capture both the client and server side of a SSL neg. I can capture the client side hand shake fine but i only seem to be able to catpure payload post ssl/tls neg on the server side.

when CLIENT_ACCEPTED priority 300 {
   TCP::collect

##other unimportant logic here
}

when CLIENT_DATA priority 200 {
    # store the original handshake to replay to the server after the CONNECT
    binary scan [TCP::payload] H* orig
    log -noname local5. "orig: $orig"
## more unimportant logic here
    TCP::release
}

when SERVER_CONNECTED priority 200 {
   TCP::collect 
}

when SERVER_DATA priority 200 {
    binary scan [TCP::payload] H* px_reply_dump
    log local5. "[IP::client_addr]:[TCP::client_port] px dump '$px_reply_dump' orig '$orig'"
## even more unimportant logic here
    TCP::release
}

On the client side i get the handshake 1603010048010000440301572263f9c084b8c4beb8b841bf536d6aea85dbe173bacb4f88ede3115db1a08900001600040005000a0009006400620003000600130012006301000005ff01000100

on the server side i get the payload which is HTTP 200 continue 485454502f312e302032303020436f6e6e65637465640d0a0d0a

i have tried all different things to try and capture the server side, collecting in LB::selected, using TCP notify to collect in USER_REQUESTED

i have seen examples like this: https://devcentral.f5.com/articles/irule-to-stop-sslv3-connections but in my case i just dont get the handshake.

Any advice or pointers?

the VS the irule is on

ltm virtual test_proxy_intercept {
    destination 0.0.0.0:https
    ip-protocol tcp
    mask any
    pool test_proxy_intercept
    profiles {
        tcp { }
    }
    rules {
        proxy-https
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vlans {
        Inside-F5
        Outside-F5
    }
    vlans-enabled
    vs-index 4698
}
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Because the virtual server is not configured with any SSL profiles, you will not be able to inspect the traffic as the F5 cannot decrypt it.

This should work if you add a client and server ssl profile (ssl bridging) to the virtual server. Once that is in place, the F5 can decrypt the traffic, and your iRule should work.

0
Comments on this Answer
Comment made 28-Apr-2016 by andrew 195
im not trying to look at encrypted payload, i am trying to read the SSL client and server hello's that is all. but you did just give me a thought, this is a vip for a proxy, the SSL server handshake is probably be the next packet.... funny how when you type things out they become obvious....lol
0