Redirect SSL connection to new URL before SSL handshake

Question

I did search for this and saw all the articles that this cannot be done, but have someone insisting that it is possible so I'm asking and hoping that the answer has changed since the last articles I saw on this from 2012.&nbsp;
Scenario: My company was purchased and now we are working to relocate everything to the new domain. I have several existing SSL sites running in my LTM v11.4 system. I need to redirect these connections from site.domain1.com to site.domain2.com. During the time my certs are still valid for domain1 this is not an issue, but I have not found a way to initiate the irule before the user gets the warning about the cert being expired.&nbsp;
Current irule:
when HTTP_REQUEST {
  if { [string tolower [HTTP::host]] contains "domain1.com"} {
    HTTP::redirect https://site.domain2.com/[HTTP::uri]}&nbsp;
Is there another trigger I can use in place of HTTP_REQUEST to cause the rule to run before the users get the certificate expired warning?&nbsp;

philip_king_719 · Answer

forgot to include that I have tried RULE_INIT and CLIENT_ACCEPTED already. Both of these produce an error that prevents the irule from being able to be saved.&nbsp;
Error:  [command is not valid in current event context&nbsp;

stanislas_piro2 · Answer

Hi,&nbsp;
RULE_INIT is an event raised only when irule is updated or configuration is loaded (start of services...)&nbsp;
CLIENT_ACCEPTED is raised after TCP handshake. there is no way to answer anything except rejecting connection... &nbsp;
The event HTTP_REQUEST is raised after SSL session established. before HTTP_REQUEST event, the bigIP is not able to reply HTTP redirect as the client did not send any request.&nbsp;
So the answer is... This is not possible yet(Previously, I told it was not possible to reply with certificate based on the URL requested by browser... and SNI appeared, so nothing is impossible, only not implemented yet in TLS 1.2)&nbsp;

vernonwells · Answer

To be completely clear, this is not a limitation of BIG-IP or of iRules.  Since TLS is used to protect the HTTP transaction, the TLS handshake must be completed before any HTTP data are sent (otherwise, that data stream would not be protected by TLS).  An HTTP redirect is the result of an HTTP Response message response code.  Thus, the order of events in an HTTPS transaction is always:&nbsp;
TCP three-way handshake;TLS handshake;Exchange of HTTP messages.
And to expand just a bit on what @stanislas said, the events you cite correspond to the following action:&nbsp;
RULE_INIT: fires when a rule is reloaded, typically when the BIG-IP configuration is reloaded or the rule is altered and saved.  This event is unrelated to connections, so any connection-related commands (e.g., IP::client_addr or HTTP::redirect) cannot be used in this event;CLIENT_ACCEPTED: fires when the underlying TCP three-way handshake completes on the client-side of the connection, but in the case of HTTPS, before the TLS handshake begins.  Because this event relates solely to the L4 state machine, commands for higher layer protocols (e.g., HTTP::redirect) cannot be used here;HTTP_REQUEST: fires after the HTTP headers are received in full on the client-side.  In the case of HTTPS, this occurs after the TLS handshake is completed.

hamish · Answer

It's not possible 'securely'... If it were available, it would be pretty insecure.&nbsp;
The reason is that redirects are done at the HTTP level. SSL/TLS connections provide the transport for that HTTP layer. So until SSL/TLS has completed, there is no stream for the HTTP protocol to work with.&nbsp;
As for TLS level redirects... Nope... That would leave you open for a MITM attack. The only safe way would be to keep renewing those certs until they're no longer needed... &nbsp;
However you could just get the new company to purchase certs that have both names in them. Then you can just redirect from one name to the other, AFTER the TLS is negotiated with the 'old' name&nbsp;
H&nbsp;

philip_king_719 · Answer

Thanks guys. This is what I expected, but had to ask.

Forum Discussion

Redirect SSL connection to new URL before SSL handshake

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Anchor Link Redirect

Restricting number of concurrent TLS handshakes using Max Active Handshakes on BIG-IP

HTTPS - Monitor SSL Handshake

F5 Connection Mirroring question

DevCentral Connects hosts Capture the Flag!