SSL::forward_proxy

Description

This command sets the SSL forward proxy bypass feature to bypass or intercept.

Syntax

SSL::forward_proxy policy <[bypass] | [intercept]>

# introduced in v13.1 #
SSL::forward_proxy cert
SSL::forward_proxy verified_handshake <enable | disable>

# introduced in v15.0 #
SSL::forward_proxy cert response_control <ignore | mask>

# introduced in v16.0 #
SSL::forward_proxy extension <arg arg>

# introduced in v16.1 #
SSL::forward_proxy cert status [revoke]

SSL::forward_proxy policy <[bypass] | [intercept]>

  • This command sets the policy of SSL Forward Proxy Bypass feature to “bypass” or “intercept”

SSL::forward_proxy cert

  • Returns the X509 SSL certificate forged by the SSL forward proxy.

SSL::forward_proxy verified_handshake <enable | disable>

  • Returns the verified handshake value if no option is specified, else sets the verified handshake to enable or disable. The “SSL::forward_proxy verified_handshake” command must be run on both the client and server side of the forward proxy to configure the verified-handshake behavior.

    Note: This is introduced in 13.1.0.1

SSL::forward_proxy cert response_control <ignore | mask>

  • This command allows toggle option for forging of a good certificate (mask) or preserve server side certificate errors (ignore) on certificate to be sent to client.

    Note: This is introduced in 15.0


SSL::forward_proxy cert status [revoke]

  • This command internally sets server cert status to revoked. Any cert status retrieved from server-side will be overwritten with a revoked status.

    Note: This is introduced in 16.1


SSL::forward_proxy extension <oid oid-value>

  • This command inserts <oid oid-value> as an extension to the forged certificate with OID=oid and value=oid-value.

    Note: This is introduced in 15.1


Examples

when CLIENTSSL_SERVERHELLO_SEND {
    log local0. 'bypassing'
    SSL::forward_proxy policy bypass
}

when CLIENTSSL_SERVERHELLO_SEND {
    log local0. 'intercepting'
    SSL::forward_proxy policy intercept
}

when CLIENTSSL_SERVERHELLO_SEND {
    set cert [SSL::forward_proxy cert]
    log local0. "Cert issuer - [X509::issuer $cert]"
}

when CLIENTSSL_CLIENTHELLO {
    SSL::forward_proxy verified_handshake enable
    set vhs [ SSL::forward_proxy verified_handshake ]
    log local0. "Set clientside SSL forward proxy verified handshake to $vhs"
}

when CLIENTSSL_CLIENTHELLO {
    SSL::forward_proxy extension AIA "ocsp,https://ocsp.entrust.net.com; caIssuer, https://aia.entrust.net/l1m-chain256.cer"
    SSL::forward_proxy extension CRLDP "http://crl.entrust.net/level1m.crl"
    SSL::forward_proxy extension 1.3.6.1.4.1.3375.3.1.1 "a F5 Network oid"
    SSL::forward_proxy extension 1.2.3.4 "This is oid-value for oid 1.2.3.4"
}

when SERVER_CONNECTED {
    SSL::forward_proxy verified_handshake enable
    set vhs [ SSL::forward_proxy verified_handshake ]
    log local0. "Set serverside SSL forward proxy verified handshake to $vhs"
}
when SERVERSSL_HANDSHAKE {
    if { [X509::verify_cert_error_string [SSL::verify_result]] ne "ok" } {
         SSL::forward_proxy cert response_control mask
    }
    log local0. "Set mask option to forge a good certificate when server certificate is bad"
}

when SERVERSSL_SERVERCERT {
    if { [SSL::cert count] != 0 } {
         set subject_cn [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
         if { $subject_cn equals "xyz.com" } {
            log local0. "Set certificate status as revoked when server certificate CN matches 'xyz.com'"
            SSL::forward_proxy cert status revoke
         }
    }
}