Forum Discussion

BEdmunds_8904's avatar
Icon for Nimbostratus rankNimbostratus
Jun 19, 2012

Logging SSL Renegotiations

Hi All,



So I am a complete newb to both F5 and iRules, I've got older version of LTM, 9.4.8 w/ HF 4. We are looking to upgrade and in particular to fix the CVE-2009-3555 vulnerability. Before doing so, we want to gauge the impact to our partners, so I'd like to log all SSL renegotiation handshakes.



Borrowing from the work of Lupo in, it looks like I could do the same, just leave off the close command.



So I end up with:





initialize TLS/SSL handshake count for this connection


set sslhandshakecount 0





if you have lower priority iRules on the CLIENTSSL_HANDSHAKE event, you have to make sure, that they don't interfere with this iRule


when CLIENTSSL_HANDSHAKE priority 100 {


a handshake just occurred


incr sslhandshakecount



is this the first handshake in this connection?


if { $sslhandshakecount != 1 } {


log (rate limited) the event (to /var/log/tmm)


log "\[VS [virtual] client [IP::client_addr]:[TCP::client_port]\]: TLS/SSL renegotiation occurred"








Any thoughts or improvements? Is this the right approach?


I have opened a case with support too, Case C1141780



thanks for reading.


2 Replies

  • Hi,



    Yes, that looks like a sound approach if you just want to log renegotiations.



    The log output will get written to /var/log/ltm as opposed to the comments showing /var/log/tmm.