Forum Discussion

Nimbostratus

Sep 22, 2023

Cipher suite mismatch advertisement/warning

Hi, this issue is linked to: https://community.f5.com/t5/technical-forum/cipher-suites-supported-12-1-5-3/m-p/321291#M271493 Finally we have decided to leave only ECDHE ciphers. As I said, mayb...

announcement

event

Security

Paulius
Sep 23, 2023
Martin182 So in iRule event CLIENTSSL_CLIENTHELLO is when the SSL ciphers are sent and then in CLIENTSSL_HANDSHAKE is when the SSL handshake finishes for an HTTPS connection. You would not be able to send any redirect or message until you reached the HTTP_REQUEST event occurs which is after the HTTPS connection establishes. If you cannot establish and HTTPS connection then you cannot send a message back to the client. This is the reason why I was stating that prior to your chipher change date you should have the website in question have a popup stating the cipher change and then a link to where they can go to validate the SSL ciphers that their browser supports.

Paulius

MVP

Sep 22, 2023

Martin182 Because the action you are looking for after SSL negotiation has completed this wouldn't be possible. Your better option would be to have a popup now that says you will be putting some SSL restrictions in place, define what the restriction is, and then send them a link to a URL that allows them to check their compatability with the ciphers in question.

Martin182
Nimbostratus
Sep 22, 2023
Hi Paulius, thanks for your reply
So I guess at the balancing level there is no configuration that I can apply on the F5 that meets my goal?
- Paulius
  MVP
  Sep 23, 2023
  Martin182 I'm not aware of a mechanism that would allow a user to attempt SSL handshake and then if it fails it would receive a redirect instead. This is an issue because in order to receive the redirect the client would have to complete the SSL handshake.
  - Martin182
    Nimbostratus
    Sep 23, 2023
    But in theory at the start of the ssl handshake, the client informs of the cipher suites it supports, therefore, it would not be possible to return the warning at that moment in case they are not those indicated in an iRule?
    Obviously adding in that iRule only those supported by the server (those indicated in the ssl profile configured in the VS).

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Cipher suite mismatch advertisement/warning

Recent Discussions

Gy the ft hi go to ki CE ki CE ki hi if co ltd Tel no hi hi co

SF GS see the attached document for your email and

De do please let me know when the ft ye so I

Spiritual Salt Review - Does it Work or a Scam?

Tupi Tea Reviews 2024: Real or Scam? Must Read

Related Content

SSL protocol mismatch

Display a warning on client browser when cipher suite mismatch

Cipher Suites Supported (12.1.5.3)

Cipher Suite Practices and Pitfalls

LTM Cipher rule

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS