This topic details the specifications for DataScript SSL functions available on Avi Load Balancer .
Function |
Description |
|---|---|
Return the SSL ciphers and settings. |
|
Returns the client's certificate, or part of it. |
|
avi.ssl.get_tls_fingerprint(type) |
Returns the TLS fingerprint negotiated for the SSL/TLS connection between the client and the virtual service. |
Return the SSL version. |
|
Return SNI name field. |
|
This API can be used to change the SSL profile to a different profile based on some factors like Client IP, TLS servername, and more. |
|
This API can be used to change the SSL key and certificate to a different object based on factors like Client IP, TLS servername, and more. |
|
This API can be used to change the PKI profile of the initial or the renegotiated TLS session based on factors like Client IP, TLS server name, HTTP host or URI etc. |
|
This API can be used to renegotiate TLS connection with the client after changing the PKI profile, mode and frequency based on factors like Client IP, TLS servername, HTTP host or URI and more. |
|
This API is used to get the result of the client certificate authentication and CRL checks. |
|
This API accepts a verify error code and returns an error string associated with that error code. |
|
This API is used to get the client certificate authentication mode. |
|
This API is used to find out whether client certificate verification is complete. |
|
This API is used to clear SSL client certificate verification error on the TLS connection. |
|
This API is used to log the client certificate authentication failure. The error is added to the application log as a significance log. |
|
This API is used to clear SSL session cache entry of the TLS connection. |
|
This API is used to get the result of the client certificate authentication and CRL checks. |
|
This API is used to determine the length of the cipher suite negotiated for the SSL or TLS connection between the client and the virtual service. |
|
This API is used to get the client certificate in the PEM format for an established SSL connection. |
avi.ssl.cipher
Function |
|
Description |
Returns the name of the cipher suite negotiated for the SSL/TLS connection between the client and the virtual service and may optionally include the version, key exchange method (Kx), authentication method (Au), encryption method (Enc), and MAC selected (Mac). The returned cipher suite information is in OpenSSL format. See www.openssl.org/docs/manmaster/apps/ciphers.html for examples of OpenSSL formatted cipher suites. |
Events |
|
Parameter |
Optional boolean |
Returns |
A string value containing the cipher information for the SSL/TLS connection. When the |
Example 1 |
Deny clients connecting with unsupported ciphers. cipher_name = avi.ssl.cipher()
if cipher_name == "RC4-SHA" then
avi.http.response(200, {content_type="text/html"},
"Upgrade your client to use modern and secure ciphers."
)
end |
Example 2 |
Insert a header to the server indicating the key exchange method negotiated with the client. cipher = avi.ssl.cipher(true)
-- get the key exchange method from the cipher detail using pattern matching
-- %w matches alphanumeric characters
kx = string.match(cipher, "Kx=(%w+)")
if kx then
avi.http.add_header("X-KeyExchange", kx)
end |
avi.ssl.client_cert
Function |
avi.ssl.client_cert( [ [avi.CLIENT_CERT], [avi.CLIENT_CERT_FINGERPRINT], [avi.CLIENT_CERT_SUBJECT], [avi.CLIENT_CERT_ISSUER], [avi.CLIENT_CERT_SERIAL], [avi.CLIENT_CERT_NOTVALIDBEFORE], [avi.CLIENT_CERT_NOTVALIDAFTER], [avi.CLIENT_CERT_VERSION], [avi.CLIENT_CERT_SIGALG], [avi.CLIENT_CERT_ESCAPED], [avi.CLIENT_CERT_SAN_EXTENSION], [avi.CLIENT_CERT_X509_EXTENSIONS] ] ) |
Description |
Returns the client certificate in the PEM format for an established SSL connection. Optional parameters will filter the fields returned from the client certificate. |
Events |
|
Parameter |
Returns the client certificate in the PEM format for an established SSL connection from the client to the virtual service when no argument or avi.CLIENT_CERT is specified, with each line except the first prepended with the tab character.
|
Returns |
Up to nine arguments pertaining to the client certificate and its fields. |
Example 1 |
If the certificate's issuer is not correct, add the issuer to a header and forward to a quarantine server pool. if avi.ssl.client_cert(avi.CLIENT_CERT_ISSUER) ~=
"/C=US/O=foo/OU=www.foo.com/CN=www.foo.com/[email protected]" then
avi.http.add_header("client_cert_issuer",
avi.ssl.client_cert(avi.CLIENT_CERT_ISSUER))
avi.pool.select("Quarantine-Pool")
end |
Example 2 |
Logs the client certificate attributes for the SSL connection. if avi.http.secure() then -- test if the connection is secure fingerprint = avi.ssl.client_cert(avi.CLIENT_CERT_FINGERPRINT) avi.vs.log(fingerprint) end |
avi.ssl.get_tls_fingerprint(type)
Function |
avi.ssl.get_tls_fingerprint(type) |
|---|---|
Description |
Returns the tls fingerprint negotiated for the SSL/TLS connection between the client and the virtual service. |
Events |
SSL_CLIENT_HELLO SSL_HANDSHAKE_DONE HTTP_AUTH HTTP_POST_AUTH HTTP_REQ HTTP_REQ_BODY LB_DONE HTTP_RESP HTTP_RESP_FAILED HTTP_RESP_BODY |
Parameter |
The type of fingerprint has to be passed in as a parameter. There are 3 types:
|
Returns |
The TLS fingerprint requested by the user. |
Example |
-- Fingerprint type requested is normalized fp = avi.ssl.get_tls_fingerprint('normalized') avi.vs.log(fp) -- Check fingerprint with latest Chrome fingerprint. if fp != "63dd266cda0237eda76527ee6ef1d219" then return avi.http.response(403) endThe above DataScript will only allow Chrome browser users with the given fingerprint (sent by Chrome version 115). |
avi.ssl.protocol
Function |
avi.ssl.protocol() |
Description |
Returns the protocol of an established SSL connection. For example: TLSv1.1. |
Events |
|
Parameter |
None |
Returns |
Returns a string of the SSL/TLS version or unknown |
Example |
if avi.ssl.protocol() == "TLSv1.0" then
avi.http.response(404, {content_type="text/html"},
"Your browser's SSL version, " .. avi.ssl.protocol() .. " is old. Upgrade your browser and try again.")
end |
avi.ssl.server_name
Function |
avi.ssl.protocol() |
Description |
Returns the protocol of an established SSL connection. For example: TLSv1.1. |
Events |
HTTP_REQ HTTP_RESP |
Parameter |
None |
Returns |
A string of the requested SNI name. |
Example |
Insert a header declaring the SNI name requested by the client. avi.http.add_header("X-SNI ", avi.ssl.server_name()) |
avi.ssl.set_ssl_profile
Function |
avi.ssl.set_ssl_profile(<SSL Profile Name>) |
Description |
This function is used to change the SSL profile to a different profile based on some factors like Client IP address, TLS servername, and more. |
Events |
|
Parameter |
Name of the SSL parameter |
Returns |
None |
Example |
if avi.ssl.server_name() == "legacy.example.com" then
avi.ssl.set_ssl_profile("legacy_ssl_profile") endIf |
avi.ssl.set_ssl_certificate
Function |
avi.ssl.set_ssl_certificate(<SSLKeyAndCertificate>) |
Description |
This function is used to change the SSL key and certificate to a different object based on factors like Client IP address, TLS server name, etc. |
Events |
|
Parameter |
Name of the SSL Key and certificate object. |
Returns |
None |
Example |
if avi.ssl.server_name() == "legacy.example.com" then
avi.ssl.set_ssl_certificate("RSACertificate")
avi.ssl.set_ssl_certificate("ECCertificate")
end |
avi.ssl.set_pki_profile
Function |
|
Description |
This function is used to change the PKI profile of the initial or the renegotiated TLS session based on factors like Client IP address, TLS server name, HTTP host or URI, etc.
PKI configuration from the DataScript takes precedence over the configuration from the application profile. |
Events |
|
Parameter |
Currently, in the application profile, there are two knobs. One knob controls the mode, and the other knob controls the PKI profile object. The API is a mode (mandatory) with a profile name (optional) and frequency of authentication (optional) parameter. The following are the three modes supported:
|
Returns |
None |
Example |
To disable client certificate authentication
if avi.ssl.server_name() == "legacy.example.com" then
avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_DISABLE)
endHere, the client verififcation for the PKI profile is disabled on this TLS server connections. To change client certificate authentication settings. if avi.ssl.server_name() == "secure.example.com" then
avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUIRE, "pkiprofile-crl", avi.AUTHENTICATE_ONLY_ONCE)
else
avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUEST)
endIf the TLS Server name is |
Since the PKI configuration can be done through the application profile and DataScripts, during execution, the PKI profile configured through DataScript takes precedence over the configuration made through the Application Profile.
For example, if the PKI profile is configured to mark the certificate as required, but if through DataScripts the PKI profile for a specific server name is marked to be disabled, this will override the application profile configuration.
avi.ssl.renegotiate
Function |
|
Description |
This function renegotiates the TLS connection with the client after changing the PKI profile, mode, and frequency based on factors like Client IP, TLS server name, HTTP host or URI, etc. If client certificate authentication is enabled before the renegotiate API call, the PKI settings are applied to the SSL session renegotiation. HTTP requests will be parked until renegotiation is complete. SSL renegotiation will disable SSL session resumption on the connection.
Note:
If using renegotiation after changing PKI settings on the connection, the user's script must handle the result of the client authentication. Otherwise, the subsequent request on the TLS connection could fail. The script could either choose to clear the error or close the connection. |
Events |
|
Parameter |
None |
Returns |
None |
Example |
To disable client certificate authentication: if string.contains(avi.http.get_uri(), \"secure\") then
avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUIRE, "pkiprofile-ca", avi.AUTHENTICATE_ONLY_ONCE)
avi.ssl.renegotiate()
verify_err, error_code = avi.ssl.client_cert_verify_error()
if verify_err == 0 or (verify_err == 2 and error_code ~= 0) then
avi.http.close_connection()
end
end Here, we are checking for a specific URI, then changing the PKI attributes and doing an SSL renegotiate. Then, if there is an error, close the connections. |
In case there is an error but you have decided not to close the connection, then rectify the error. If you do not clear the error, subsequent requests might go into a path where the DataScript is not chit considered, and the native request flow closes the connection due to the error.
Renegotiation does not work with HTTP2 Protocol and TLS1.3 protocol.
avi.ssl.clear_client_cert_verify_error
Function |
|
Description |
This function can be used to clear the SSL client certificate verification error on the TLS connection. Internally, the API sets ' |
Events |
|
Parameter |
None |
Returns |
No value |
Example |
if avi.ssl.server_name() == "secure.example.com" && avi.ssl.get_client_cert_verify_mode() == 0 then
avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUIRE, "pkiprofile-ca", avi.AUTHENTICATE_ONLY_ONCE)
avi.ssl.renegotiate()
verify_err, err_code = avi.ssl.client_cert_verify_error()
if err_code ~= 0 and avi.ssl.client_cert_verify_error_string(err_code) == 'X509_V_ERR_CRL_HAS_EXPIRED' then
avi.ssl.clear_client_cert_verify_error()
end
end |
avi.ssl.client_cert_verify_error_string
Function |
|
Description |
This API accepts a verify error code and returns an error string associated with that error code |
Events |
|
Parameter |
One integer argument as |
Returns |
This DataScript function returns error strings given the verify error code from OpenSSL verify documentation to understand the specific meaning of these error codes returned by SSL stack. |
Example |
if avi.ssl.server_name() == "secure.example.com" then
avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUIRE, "pkiprofile-ca", avi.AUTHENTICATE_ONLY_ONCE)
avi.ssl.renegotiate()
verify_err, error_code = avi.ssl.client_cert_verify_error()
if verify_err == 0 or (verify_err == 2 and avi.ssl.client_cert_verify_error_string(error_code) ~= 'X509_V_OK') then
avi.http.close_connection()
end
end |
avi.ssl.client_cert_verify_mode
Function |
|
Description |
This DataScript function is used to get the client certificate authentication mode |
Events |
|
Parameter |
None |
Returns |
This DataScript function returns one of the following values :
|
Example |
if avi.ssl.server_name() == "secure.example.com" && avi.ssl.get_client_cert_verify_mode() == 0 then
avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUIRE, "pkiprofile-ca", avi.AUTHENTICATE_ONLY_ONCE)
avi.ssl.renegotiate()
end |
avi.ssl.client_cert_verified
Function |
|
Description |
This DataScript function is used to find if the client certificate verification is completed. |
Events |
|
Parameter |
None |
Returns |
This DataScript function returns one of the following values:
|
Example |
if avi.ssl.server_name() == "secure.example.com" && avi.ssl.client_cert_verified() == 0 then avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUIRE, "pkiprofile-ca", avi.AUTHENTICATE_ONLY_ONCE) avi.ssl.renegotiate() end |
avi.ssl.clear_client_cert_verify_error
Function |
|
Description |
This function can be used to clear the SSL client certificate verification error on the TLS connection. Internally, the API sets ' |
Events |
|
Parameter |
None |
Returns |
No Value |
Example |
if avi.ssl.server_name() == "secure.example.com" && avi.ssl.get_client_cert_verify_mode() == 0 then
avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUIRE, "pkiprofile-ca", avi.AUTHENTICATE_ONLY_ONCE)
avi.ssl.renegotiate()
verify_err, err_code = avi.ssl.client_cert_verify_error()
if err_code ~= 0 and avi.ssl.client_cert_verify_error_string(err_code) == 'X509_V_ERR_CRL_HAS_EXPIRED' then
avi.ssl.clear_client_cert_verify_error()
end
end |
avi.ssl.log_client_cert_verify_error
Function |
|
Description |
This DataScript function is used for logging the client certificate authentication failure. The error is added to the application log as a significance log. For example, client certificate verification failed: client x509 certificate verification failed. |
Events |
|
Parameter |
None |
Returns |
None |
Example |
if avi.ssl.server_name() == "secure.example.com" &&
avi.ssl.get_client_cert_verify_mode() ~= 0 then
avi.ssl.log_client_cert_verify_error()
end |
avi.ssl.remove_session
Function |
|
Description |
This API is be used to clear SSL session cache entry of the TLS connection. |
Events |
|
Parameter |
None |
Returns |
None |
Example |
if string.contains(avi.http.get_uri(), \"logout.html\") then
avi.ssl.remove_session()
end |
avi.ssl.get_client_cert_verify_mode
Function |
|
Events |
|
Parameter |
None |
Returns |
This DataScript function returns one of the following values:
|
Example |
if avi.ssl.server_name() == "secure.example.com" && avi.ssl.get_client_cert_verify_mode() == 0 then
avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUIRE, "pkiprofile-ca", avi.AUTHENTICATE_ONLY_ONCE)
avi.ssl.renegotiate()
end |
avi.ssl.cipher_len
Function |
|
Description |
Returns the length of the cipher suite negotiated for the SSL/TLS connection between the client and the virtual service. |
Parameter |
None |
Events |
|
Example |
-- Cipher selected is ECDHE-RSA-AES128-GCM-SHA256
cipher_len = avi.ssl.cipher_len()
-- cipher_len = 128
avi.vs.log("Cipher length: "..cipher_len) |
This API is not supported in the events SSL_PRECONNECT and SSL_CLIENTHELLO.
datascript-avi-ssl-client-cert-verify-error
Function |
|
Description |
This API can be used to get the result of the client certificate authentication and CRL checks. |
Parameter |
None |
Events |
|
Returns |
This API returns two values:
|
Example |
if avi.ssl.server_name() == "secure.example.com" then
avi.ssl.set_pki_profile(avi.CLIENT_VERIFY_REQUEST, "pkiprofile-ca", avi.AUTHENTICATE_ONLY_ONCE)
avi.ssl.renegotiate()
verify_err, error_code = avi.ssl.client_cert_verify_error()
if verify_err == 0 or (verify_err == 2 and error_code ~= 0) then
avi.http.close_connection()
end
end |
avi.ssl.client_cert
Function |
|
Description |
Returns the client certificate in the PEM format for an established SSL connection. Optional parameters will filter the fields returned from the client certificate. |
Events |
|
Parameters |
When no argument or avi.CLIENT_CERT is specified, returns the client certificate in the PEM format for an established SSL connection from the client to the virtual service, with each line except the first prepended with the tab character.
|
Returns |
Up to nine arguments, pertaining to the client cert and its fields. |
Example 1 |
If the certificate issuer is not correct, add the issuer to a header and forward to a quarantine server pool. if avi.ssl.client_cert(avi.CLIENT_CERT_ISSUER) ~=
"/C=US/O=foo/OU=www.foo.com/CN=www.foo.com/[email protected]" then
avi.http.add_header("client_cert_issuer",
avi.ssl.client_cert(avi.CLIENT_CERT_ISSUER))
avi.pool.select("Quarantine-Pool")
end |
Example 2 |
Logs the client cert attributes for the SSL connection. if avi.http.secure() then -- test if the connection is secure fingerprint = avi.ssl.client_cert(avi.CLIENT_CERT_FINGERPRINT) avi.vs.log(fingerprint) end |
Example 3 |
When you send a client certificate in a HTTP request, the client escaped certificate in displayed in the DS/HTTP policy header. escaped_cert = avi.ssl.client_cert(avi.CLIENT_CERT_ESCAPED)
avi.vs.log(escaped_cert)
avi.http.add_header("escaped_client_cert",escaped_cert) |
This API is not supported in the events SSL_PRECONNECT and SSL_CLIENTHELLO.
avi.utils.get_ip_reputation
You can use Webroot DB for IP reputation check in L7 DataScript using Lua function.
is_good, reputation_type = avi.utils.get_ip_reputation(ip_addr)
First return value for is_good is true/false. This indicates if the given IP is of good reputation.
The second return value is a bitmap of IP reputation type and is valid only if is_good is false. For instance, value 1 indicates Spam Source (bit 0 set), and value 17 indicates Spam Source and Scanner (bits 0 and 4 sets).
For more information, see the IP Reputation topic in the VMware NSX Advanced Load Balancer WAF Guide.
The function will use the IP reputation database configured for a virtual service DataScript set.
You can use API or CLI to configure VSDataScriptSet to use IPReputationDB.
The Lua function will accept both IPv4 and IPv6 addresses. However, it will always return true for IPv6 addresses because the IP reputation database currently contains only IPv4 address information.
The format of the ip_addr parameters is expected to be as returned by avi.vs.client_ip(), which is a presentation format, for instance, 1.2.3.4.
message VSDataScriptSet {
...
optional string ip_reputation_db_uuid = 58 [
(refers_to) = "IPReputationDB",
...
]
...
}
Configuration Workflow
When a script uses the new avi.utils.get_ip_reputation(ip_addr) function, IPReputationDB should be configured at the VSDataScriptSet level.
