NimbostratusFolks, I am looking for an iRule which will help me disable SSL negotiation when the incoming request does not have SSL. The VIP I am going to configure is already going to have SSL certificate in it.
Is this possible?
The reason to do this is use the same iRule to work on SSL and non-SSL requests
Thanks!!! N.
CumulonimbusHi,
how can you know it is SSL or not? based on TCP port?
you can use following irule :
when CLIENT_ACCEPTED {
if { [TCP::local_port] == 80 } {
SSL::disable
}
}
Why don't you create two VIP's with the same destination IP address? One with port 443 and a client ssl profile and one with port any and no client ssl profile.
SSL sessions will match the 443 vip, all the other non-ssl sessions the any VIP.
Cheers,
Kees
NimbostratusHi N.
If you want to go with one VS for this config, I'll suggest use an irule to limit incoming request to the http and https ports. for instance 3333 and 6666
Change the first irule given by Stanislas from 80 to 3333. OR
You can create 2 VS. This option will be alot easier though.
HTH
eben.
NimbostratusIt would not help...there would be a many requests all on different ports.
CirrostratusHi N.
If you want to go with one VS for this config, I'll suggest use an irule to limit incoming request to the http and https ports. for instance 3333 and 6666
Change the first irule given by Stanislas from 80 to 3333. OR
You can create 2 VS. This option will be alot easier though.
HTH
eben.
NimbostratusIt would not help...there would be a many requests all on different ports.
CirrostratusHello N.,
You can do it differently.
I suggest you to use the following irule. To summarize what it will do :
1) First it will desactivate the SSL processing for all clients connections and collect the first 3 bytes of the TCP payload in the CLIENT_ACCEPTED event
2) Then from the "CLIENT_DATA" event, it will looks into the first 3 bytes retrieved if it detects an SSL Client Hello Handshake packet from version TLSv1.0 to TLSv1.2 it will enables SSL for these connections. If clients are connecting using old vulnerable SSL version 2.0 or 3.0 it will drop requests (depending on you security policy you may change that). And finally, if coming with something else it will disable SSL processing.
So you can apply this irule and it try it.
when CLIENT_ACCEPTED {
Disable SSL processing
SSL::disable
Collect first three bytes of the payload
TCP::collect 3
}
when CLIENT_DATA {
if { [TCP::payload length] >= 3 } {
binary scan [TCP::payload 3] H* hex
log local0. "Payload in HEX: $hex"
switch $hex {
"160301" -
"160302" -
"160303" {
160301 corresponds to CLIENT HELLO SSL Handshake for version TLSv1.0
160302 corresponds to CLIENT HELLO SSL Handshake for version TLSv1.1
160303 corresponds to CLIENT HELLO SSL Handshake for version TLSv1.2
SSL::enable
}
"802201" -
"160300" {
802201 corresponds to CLIENT HELLO SSL Handshake for version SSL 2.0
160300 corresponds to CLIENT HELLO SSL Handshake for version SSL 3.0
log local0. "[IP::client_addr] connecting with SSL 2.0 or SSL 3.0 unauthorized"
drop
}
default {
SSL::disable
}
}
}
TCP::release
}
Please give us a feedback as soon as you try it.
Regards
CumulonimbusIf you only want to disable ssl if client request non ssl, enable
Non-SSL Connections