-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS iRule fails after recent browser updates #3402
Comments
@trinaths do you know where is the irule deployed by CIS ? I could not find |
@vincentmli it probably is in k8s-bigip-ctlr/pkg/controller/routing.go Lines 715 to 723 in 4088633
|
@htioekb Please share CIS configuration and error log, steps to reproduce this issue to automation_toolchain_pm automation_toolchain_pm@f5.com |
Created [CONTCNTR-4710] for internal tracking. |
@trinaths @vklohiya fyi, below is the tested code working for users, please review in case anything missing
|
We're also affected by this issue |
@shkarface , Please use this build and verify the fix. Build: cisbot/k8s-bigip-ctlr:browserUpdateIssue Note:- This is a dev build and where only the smoke tests are performed. |
I have build the image from source after changing the irules in the source code to what you have provided, and it's working like a charm |
@shkarface Is this build working good for this issue ? |
I have not checked this build tbh, as mentioned before we have a custom build that fixes this issue, because we're also affected by another bug #3401 so we need a custom build |
@vklohiya Was this dev build built using 2.16.1 + irule fix or was it built from source prior to 2.16.1 ? |
@pmilot , It's build on top of 2.16.1. |
@pmilot This fix will be a part of CIS 2.17 |
Setup Details
CIS Version : 2.16.1
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 15.1.10.3
AS3 Version: 3.48
Agent Mode: AS3
Orchestration: K8S
Orchestration Version:
Pool Mode: Nodeport
Additional Setup details: -
Description
A recent chrome update has modified the TLS handshake to include random grease, resulting in some TLS payloads being split into two packets. When the TLS server name extension is in the second packet, the generated iRule fails and the connection is reset.
Original iRule (part):
Fixed iRule (provided by F5 support team):
Steps To Reproduce
Expected Result
All resources are loaded without errors and connection resets
Actual Result
Some resources fail to load, connection reset.
Diagnostic Information
LTM log message when iRule is executed and connection resets
Observations (if any)
The observed problem occurs in all browsers (Chrome, Edge, Firefox) and the F5 support team confirmed, that recent updates cause the change in behaviour.
The iRule provided by F5 reads the whole TLS payload, even if it is split into two packets and allows the TLS payload to be parsed correctly.
The text was updated successfully, but these errors were encountered: