Forum Discussion

JO_JO's avatar
JO_JO
Icon for Altostratus rankAltostratus
May 17, 2023

CLIENT_HELLO SSL TLS version insert


CLIENT_HELLO SSL/TLS version insert

HELLO,

I want to insert the SSLv3, TLSv1, TLSv1.1 version in the HTTP header

The name of the HTTP header is "version"

I must use irule

when CLIENTSSL_CLIENTHELLO {
set version [SSL::cipher version]
}

when HTTP_REQUEST {
if {[class match $version equals tls-version ]} {
HTTP::header "version = $version"
}
}

In the data group tls-version, I defined SSLv3,TLSv1, TLSv1.1

It does not work

What's the problem?

Is there a better way?

 

application delivery
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    May 17, 2023

    Hi JO_JO,

    "insert" command is required to add http header. Can you try this iRule?

    when HTTP_REQUEST {
	if { [class match [SSL::cipher version] equals tls-version] } {
		HTTP::header insert "version" [SSL::cipher version]
	}
}

     

  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    May 17, 2023

    Hi JO_JO,

    "insert" command is required to add http header. Can you try this iRule?

    when HTTP_REQUEST {
	if { [class match [SSL::cipher version] equals tls-version] } {
		HTTP::header insert "version" [SSL::cipher version]
	}
}

     

  • 423479's avatar
    423479
    Icon for Nimbostratus rankNimbostratus
    May 17, 2023

    Hello,

    The problem with your iRule is that you're attempting to compare the value of the version variable to the data group tls-version using the class match command. However, the class match command is used to match against a predefined class, not a data group.

    To fix this issue, you can modify your iRule as follows:

    when CLIENTSSL_CLIENTHELLO {
    set version [SSL::cipher version]
    }

    when HTTP_REQUEST {
    if {[class match [string toupper $version] equals tls-version]} {
    HTTP::header replace "version" "$version"
    }
    }

    In this updated iRule, we convert the version variable to uppercase using string toupper to ensure a case-insensitive match. Then, we compare it to the class tls-version. If there is a match, we replace the existing version header (if present) with the value of the version variable.

    Make sure you have defined the data group tls-version properly with the values "SSLv3", "TLSv1", and "TLSv1.1".

    Note: It's important to mention that SSLv3 and TLSv1.1 are considered insecure and deprecated protocols. It's highly recommended to use more secure versions like TLSv1.2 or TLSv1.3.