Forum Discussion

JO_JO's avatar
JO_JO
Icon for Altostratus rankAltostratus
May 17, 2023

CLIENT_HELLO SSL TLS version insert


CLIENT_HELLO SSL/TLS version insert

HELLO,

I want to insert the SSLv3, TLSv1, TLSv1.1 version in the HTTP header

The name of the HTTP header is "version"

I must use irule

when CLIENTSSL_CLIENTHELLO {
set version [SSL::cipher version]
}

when HTTP_REQUEST {
if {[class match $version equals tls-version ]} {
HTTP::header "version = $version"
}
}

In the data group tls-version, I defined SSLv3,TLSv1, TLSv1.1

It does not work

What's the problem?

Is there a better way?

 

  • Hi JO_JO,

    "insert" command is required to add http header. Can you try this iRule?

    when HTTP_REQUEST {
    	if { [class match [SSL::cipher version] equals tls-version] } {
    		HTTP::header insert "version" [SSL::cipher version]
    	}
    }

     

  • Hi JO_JO,

    "insert" command is required to add http header. Can you try this iRule?

    when HTTP_REQUEST {
    	if { [class match [SSL::cipher version] equals tls-version] } {
    		HTTP::header insert "version" [SSL::cipher version]
    	}
    }

     

  • 423479's avatar
    423479
    Icon for Nimbostratus rankNimbostratus

    Hello,

    The problem with your iRule is that you're attempting to compare the value of the version variable to the data group tls-version using the class match command. However, the class match command is used to match against a predefined class, not a data group.

    To fix this issue, you can modify your iRule as follows:

    when CLIENTSSL_CLIENTHELLO {
    set version [SSL::cipher version]
    }

    when HTTP_REQUEST {
    if {[class match [string toupper $version] equals tls-version]} {
    HTTP::header replace "version" "$version"
    }
    }

    In this updated iRule, we convert the version variable to uppercase using string toupper to ensure a case-insensitive match. Then, we compare it to the class tls-version. If there is a match, we replace the existing version header (if present) with the value of the version variable.

    Make sure you have defined the data group tls-version properly with the values "SSLv3", "TLSv1", and "TLSv1.1".

    Note: It's important to mention that SSLv3 and TLSv1.1 are considered insecure and deprecated protocols. It's highly recommended to use more secure versions like TLSv1.2 or TLSv1.3.