ltm rule command SSL forward proxy
iRule(1) BIG-IP TMSH Manual iRule(1)
SSL::forward_proxy
Sets the SSL forward proxy bypass feature to bypass or intercept, or retrieves the forged certificate, or
enables/disables/gets verified_handshake semantics, or mask/ignore certificate response_control for the SSL
handshake or inserts a certificate extension to the certificate .
SYNOPSIS
SSL::forward_proxy ( (policy (bypass | intercept)?) | cert)
SSL::forward_proxy verified_handshake (enable | disable) ?
SSL::forward_proxy cert response_control (ignore | mask) ?
SSL::forward_proxy extension (ARG ARG)
DESCRIPTION
This command sets the SSL forward proxy bypass feature to bypass or intercept, or retrieves the forged
certificate if the policy or cert subcommands are specified. If verified-handshake subcommand is specified,
the command enables, disables or retrieves the verified_handshake behavior for the SSL handshake. If
response_control subcommand is specified, the command ignore or mask the server side certificate errors while
forging client certificate. If extension subcommand is specified, the command inserts an extension while
forging a certificate.
RETURN VALUE
SSL::forward_proxy policy <[bypass] | [intercept]>
This command sets the policy of SSL Forward Proxy Bypass feature to "bypass" or "intercept"
SSL::forward_proxy cert
Returns the X509 SSL certificate forged by the SSL forward proxy.
SSL::forward_proxy verified_handshake [ enable | disable ]
Returns the verified handshake value if no option is specified, else sets the verified handshake to enable
or disable.
SSL::forward_proxy cert response_control [ ignore | mask ]
This command allows toggle option for forging of a good certificate (mask) or preserve server side
certificate errors (ignore) on certificate to be sent to client.
SSL::forward_proxy extension
This command inserts as an extension to the forged certificate with OID=oid and
value=oid-value.
VALID DURING
CLIENTSSL_SERVERHELLO_SEND CLIENT_ACCEPTED CLIENTSSL_CLIENTHELLO SERVER_CONNECTED SERVERSSL_SERVERCERT
SERVERSSL_HANDSHAKE
EXAMPLES
when CLIENTSSL_SERVERHELLO_SEND {
log local0. 'bypassing'
SSL::forward_proxy policy bypass
}
when CLIENTSSL_SERVERHELLO_SEND {
log local0. 'intercepting'
SSL::forward_proxy policy intercept
}
when CLIENTSSL_SERVERHELLO_SEND {
set cert [SSL::forward_proxy cert]
log local0. "Cert issuer - [X509::issuer $cert]"
}
when CLIENTSSL_CLIENTHELLO {
SSL::forward_proxy verified_handshake enable
set vhs [ SSL::forward_proxy verified_handshake ]
log local0. "Set clientside SSL forward proxy verified handshake to $vhs"
}
when CLIENTSSL_CLIENTHELLO {
SSL::forward_proxy extension AIA "ocsp,https://ocsp.entrust.net.com; caIssuer, https://aia.entrust.net/l1m-chain256.cer"
SSL::forward_proxy extension CRLDP "http://crl.entrust.net/level1m.crl"
SSL::forward_proxy extension 1.3.6.1.4.1.3375.3.1.1 "a F5 Network oid"
SSL::forward_proxy extension 1.2.3.4 "This is oid-value for oid 1.2.3.4"
}
when SERVER_CONNECTED {
SSL::forward_proxy verified_handshake enable
set vhs [ SSL::forward_proxy verified_handshake ]
log local0. "Set serverside SSL forward proxy verified handshake to $vhs"
}
when SERVERSSL_HANDSHAKE {
if { [X509::verify_cert_error_string [SSL::verify_result]] ne "ok" } {
SSL::forward_proxy cert response_control mask
}
log local0. "Set mask option to forge a good certificate when server certificate is bad"
}
HINTS
The "SSL::forward_proxy verified_handshake" command must be run on both the client and server side of the
forward proxy to configure the verified-handshake behavior.
SEE ALSO
CHANGE LOG
@BIGIP-15.1.0 -- The "extension" subcommand was introduced. @BIGIP-15.0.0.0 -- The "response_control"
subcommand was introduced. @BIGIP-13.1.0.1 -- The "verified_handshake" subcommand was introduced.
@BIGIP-13.1.0 -- The "cert" subcommand was introduced. @BIGIP-11.5.0 --First introduced the command.
BIG-IP 2020-06-23 iRule(1)