Forum Discussion

Martin182's avatar
Martin182
Icon for Nimbostratus rankNimbostratus
Sep 22, 2023

Cipher suite mismatch advertisement/warning

Hi, this issue is linked to: https://community.f5.com/t5/technical-forum/cipher-suites-supported-12-1-5-3/m-p/321291#M271493   Finally we have decided to leave only ECDHE ciphers. As I said, mayb...
announcement
event
security
  • Paulius's avatar
    Paulius
    Sep 23, 2023

    Martin182 So in iRule event CLIENTSSL_CLIENTHELLO is when the SSL ciphers are sent and then in CLIENTSSL_HANDSHAKE is when the SSL handshake finishes for an HTTPS connection. You would not be able to send any redirect or message until you reached the HTTP_REQUEST event occurs which is after the HTTPS connection establishes. If you cannot establish and HTTPS connection then you cannot send a message back to the client. This is the reason why I was stating that prior to your chipher change date you should have the website in question have a popup stating the cipher change and then a link to where they can go to validate the SSL ciphers that their browser supports.

Martin182's avatar
Martin182
Icon for Nimbostratus rankNimbostratus

But in theory at the start of the ssl handshake, the client informs of the cipher suites it supports, therefore, it would not be possible to return the warning at that moment in case they are not those indicated in an iRule?

Obviously adding in that iRule only those supported by the server (those indicated in the ssl profile configured in the VS).

Paulius's avatar
Paulius
Icon for MVP rankMVP
Sep 23, 2023

Martin182 So in iRule event CLIENTSSL_CLIENTHELLO is when the SSL ciphers are sent and then in CLIENTSSL_HANDSHAKE is when the SSL handshake finishes for an HTTPS connection. You would not be able to send any redirect or message until you reached the HTTP_REQUEST event occurs which is after the HTTPS connection establishes. If you cannot establish and HTTPS connection then you cannot send a message back to the client. This is the reason why I was stating that prior to your chipher change date you should have the website in question have a popup stating the cipher change and then a link to where they can go to validate the SSL ciphers that their browser supports.

  • Martin182's avatar
    Martin182
    Icon for Nimbostratus rankNimbostratus
    Sep 23, 2023

    Okay, understood, thank you

    • LiefZimmerman's avatar
      LiefZimmerman
      Icon for Admin rankAdmin
      Sep 26, 2023

      Thanks for following up and marking the solution Martin182 - that really helps future-community-selves.

      Welcome and thanks for being a part of our community.

      • Martin182's avatar
        Martin182
        Icon for Nimbostratus rankNimbostratus
        Sep 26, 2023

        Thanks to you Lief, this is a fantastic community and it's helping me a lot. I am very new to F5 equipment yet.