Forum Discussion

jk20004_44080's avatar
jk20004_44080
Icon for Nimbostratus rankNimbostratus
Oct 05, 2018

best way to reject SSL Connections

We use IPI and we drop the requests via iRule because we cannot use ASM at every VS. today we reject the connect in then CLIENT_ACCEPTED but the result is a

 

SSL Handshake failed for TCP xxx.xxx.xxx.xxx:nnn -> xxx.xxx.xxx.xxx:nnn

 

in ltm log. do we have to accept that or is there a better way to reject connections like that?

 

let the connect go on until HTTP_REQUEST is not option because we have the same problem when we use a required Client Certificate where we check for example the UPN and we like to drop the connection if the UPN is invalid or missing.

 

  • I guess it depends on how you're doing the reject. If you're sending a reject in CLIENT_ACCEPTED based on the client IP address, you shouldn't be seeing SSL handshake errors. The best you can do though is to simply reject or drop the connection.

     

  • You are getting SSL error as the CLIENT_ACCEPTED event is triggered once the TCP connection has been established so the client has likely already sent the SSL Client Hello before being rejected.

     

    Personally if this is for security and public I would drop the connection instead of rejecting it. These will mean the client TCP connection will timeout.