Forum Discussion

Alex_Suslik_102's avatar
Alex_Suslik_102
Icon for Nimbostratus rankNimbostratus
Sep 19, 2006

check client SSL encryption level support

Client targeting https://strong.test.com     This code should redirect to a pool "client_info" only if the browser does not support 128 or 256 bit encryption, but it always redirects to this poo...
application delivery
devops
irule editor
iRules
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
Sep 19, 2006
Hi Alex -

I'd recommend adding some logging to your rule that reveals the variables your condition uses at the time the evaluation is made:
when HTTP_REQUEST {
  set cipher [HTTP::header "SSLClientCipher"]
  log local0. "cipher = $cipher"
  if { ($cipher eq "bits=128") || ($cipher eq "bits=256") }{
I think you'll find that the value returned doesn't /equal/ either value, so the condition fails. You might try the "contains" operator instead if you see the string "bits=xxx" in the returned value:
when HTTP_REQUEST {
  set cipher [HTTP::header "SSLClientCipher"]
  if { ($cipher contains "bits=128") || ($cipher contains "bits=256") }{
However, there is actually a specific command to find the cipher bits, so I think this rule would accomplish your goal:
when HTTP_REQUEST {
  if { [SSL::cipher bits] >= 128 }{
    pool strong.test.com
  } else {
    pool client_info
  }
}

HTH

/deb