Forum Discussion
12 Replies
Sort By
- Deb_Allen_18Historic F5 AccountHTTP and HTTPS connections on the same virtual server are not supported. As soon as you apply a clientssl profile to the virtual, any connection attempt will initiate the SSL handshake, and HTTP requests will be reset when the browser declines to negotiate the handshake.
- JRahmAdminI don't disagree with you, just exploring potential here...could you do a tcp collect to look for the ssl headers, and if not present, issue an SSL::disable? I'm guessing no, but I thought I'd toss a bone to the deep thinkers out there...
- JRahmAdminafter rereading my previous posting, its sounds like I'm excluding you from the deep thinker category , which isn't true. I really appreciate your thoughtful postings to the forum.
- Deb_Allen_18Historic F5 AccountHeaders and data alike are encrypted over an HTTPS connection, so the SSL handshake has to complete before any higher-level headers or data is exchanged.
- unRuleY_95363Historic F5 AccountCitizen_elah, you are right. You could use TCP::collect to determine if the initial data packet looks like a plain text HTTP request or perhaps an SSL record and then use that logic to disable the SSL profile (with SSL::disable). As a matter of fact, I'm quite sure I posted an example of that some time ago... Maybe a search for SSL::disable will yield the result.
- Deb_Allen_18Historic F5 AccountHi Citizen --
- unRuleY_95363Historic F5 AccountThink outside the box... Basically, the idea is probably simpler than you are imagining. You configure an HTTPS virtual and then if the first data received is not encrypted, simply disable the SSL profile and don't decrypt the un-encrypted data, otherwise the data get's decrypted.
- Deb_Allen_18Historic F5 Account
when CLIENT_ACCEPTED { TCP::collect 5 } when CLIENT_DATA { if {[matchclass [TCP::payload] starts_with $::http_methods]}{ SSL::disable } }
- bl0ndie_127134Historic F5 AccountNo need to write a rule to do this. There is a profile option that allow SSL to enter passthrough mode for non SSL traffic.
- Deb_Allen_18Historic F5 Accountsheesh, nobody tells me nuthin'!