issues capturing client and server side SSL handshake (only TCP profile on VIP)
Hi, im trying to capture both the client and server side of a SSL neg. I can capture the client side hand shake fine but i only seem to be able to catpure payload post ssl/tls neg on the server side.
when CLIENT_ACCEPTED priority 300 {
TCP::collect
other unimportant logic here
}
when CLIENT_DATA priority 200 {
store the original handshake to replay to the server after the CONNECT
binary scan [TCP::payload] H* orig
log -noname local5. "orig: $orig"
more unimportant logic here
TCP::release
}
when SERVER_CONNECTED priority 200 {
TCP::collect
}
when SERVER_DATA priority 200 {
binary scan [TCP::payload] H* px_reply_dump
log local5. "[IP::client_addr]:[TCP::client_port] px dump '$px_reply_dump' orig '$orig'"
even more unimportant logic here
TCP::release
}
On the client side i get the handshake 1603010048010000440301572263f9c084b8c4beb8b841bf536d6aea85dbe173bacb4f88ede3115db1a08900001600040005000a0009006400620003000600130012006301000005ff01000100
on the server side i get the payload which is HTTP 200 continue 485454502f312e302032303020436f6e6e65637465640d0a0d0a
i have tried all different things to try and capture the server side, collecting in LB::selected, using TCP notify to collect in USER_REQUESTED
i have seen examples like this: https://devcentral.f5.com/articles/irule-to-stop-sslv3-connections but in my case i just dont get the handshake.
Any advice or pointers?
the VS the irule is on
ltm virtual test_proxy_intercept {
destination 0.0.0.0:https
ip-protocol tcp
mask any
pool test_proxy_intercept
profiles {
tcp { }
}
rules {
proxy-https
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vlans {
Inside-F5
Outside-F5
}
vlans-enabled
vs-index 4698
}