Forum Discussion

Jeff_Mattson_44's avatar
Jeff_Mattson_44
Icon for Nimbostratus rankNimbostratus
Mar 14, 2007

Access to Decrypted SSL Data

I am looking for a quick sanity check...

 

 

My destination service is determined by data inside of an SSL-encrypted packet.

 

 

The only way to process decrypted packet data on an SSL-terminating virtual service is to pass it in plaintext to another virtual service using a loopback net, right? (At least I gather this from previous forum posts.) I've got this implemented, but am hoping there is a better way!

 

 

The stream::match stuff won't work for me because that gives access to the stream on its way to a destination, right? And I don't have a destination until I read the packet.

 

 

Thanks!

 

Jeff
application delivery
dev
devops
iRules

3 Replies

Sort By
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Mar 30, 2007
    Jeff,

     

     

    If you're terminating SSL at the BIG-IP you'll be able to do whatever you want with the packet data in plaintext with just one Virtual Server. There's no need to forward it to another. What is it you're trying to accomplish?

     

     

    Colin
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Apr 16, 2007
    Here is what has been said regarding this topic back in 2005 by one F5 developers:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=4638

     

     

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Apr 16, 2007
    Unfortunately, for SSL connections, you must first collect the data before it can be decrypted. The CLIENT_* events occur before the SSL termination occurs so you cannot inspect the decrypted content. The protocol handlers HTTP/etc, occur after the decryption occurs (if you have a clientssl profile enabled) so from within those you can inspect the data. Unfortunately, without using a redirect to another virtual server as suggested in the above post, it's not possible unless you are using something like HTTP.

     

     

    -Joe