Change SSL::profile depending on user-agent

Here's an idea.

 

 

Windows XP doesn't present the SSL SNI field when setting up an SSL/TLS session. It's not a totally precise way to identify Windows XP (it will also get other browsers that don't send an SNI field), but it would let you switch the profile after the initial client SSL request -- which is absolutely possible. I wrote an iRule that switches pools and SSL profiles based on the SNI hostname:

 

 

https://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx

 

 

A modification to this rule could replace the default sha256-cert containing profile with the sha1 profile for browsers that don't seem to present SNI. That would include all XP users but present the "more secure" default cert for Vista/Win7. I'll see if I can find some time to try this.