Forum Discussion
CLIENT_HELLO SSL TLS version insert
- May 17, 2023
Hi JO_JO,
"insert" command is required to add http header. Can you try this iRule?
when HTTP_REQUEST { if { [class match [SSL::cipher version] equals tls-version] } { HTTP::header insert "version" [SSL::cipher version] } }
Hello,
The problem with your iRule is that you're attempting to compare the value of the version variable to the data group tls-version using the class match command. However, the class match command is used to match against a predefined class, not a data group.
To fix this issue, you can modify your iRule as follows:
when CLIENTSSL_CLIENTHELLO {
set version [SSL::cipher version]
}
when HTTP_REQUEST {
if {[class match [string toupper $version] equals tls-version]} {
HTTP::header replace "version" "$version"
}
}
In this updated iRule, we convert the version variable to uppercase using string toupper to ensure a case-insensitive match. Then, we compare it to the class tls-version. If there is a match, we replace the existing version header (if present) with the value of the version variable.
Make sure you have defined the data group tls-version properly with the values "SSLv3", "TLSv1", and "TLSv1.1".
Note: It's important to mention that SSLv3 and TLSv1.1 are considered insecure and deprecated protocols. It's highly recommended to use more secure versions like TLSv1.2 or TLSv1.3.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com