For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JO_JO's avatar
JO_JO
Icon for Altostratus rankAltostratus
May 17, 2023
Solved

CLIENT_HELLO SSL TLS version insert

CLIENT_HELLO SSL/TLS version insert HELLO, I want to insert the SSLv3, TLSv1, TLSv1.1 version in the HTTP header The name of the HTTP header is "version" I must use irule when CLIENTSSL_CLIENT...
application delivery
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    May 17, 2023

    Hi JO_JO,

    "insert" command is required to add http header. Can you try this iRule?

    when HTTP_REQUEST {
	if { [class match [SSL::cipher version] equals tls-version] } {
		HTTP::header insert "version" [SSL::cipher version]
	}
}

     

423479's avatar
423479
Icon for Nimbostratus rankNimbostratus
May 17, 2023

Hello,

The problem with your iRule is that you're attempting to compare the value of the version variable to the data group tls-version using the class match command. However, the class match command is used to match against a predefined class, not a data group.

To fix this issue, you can modify your iRule as follows:

when CLIENTSSL_CLIENTHELLO {
set version [SSL::cipher version]
}

when HTTP_REQUEST {
if {[class match [string toupper $version] equals tls-version]} {
HTTP::header replace "version" "$version"
}
}

In this updated iRule, we convert the version variable to uppercase using string toupper to ensure a case-insensitive match. Then, we compare it to the class tls-version. If there is a match, we replace the existing version header (if present) with the value of the version variable.

Make sure you have defined the data group tls-version properly with the values "SSLv3", "TLSv1", and "TLSv1.1".

Note: It's important to mention that SSLv3 and TLSv1.1 are considered insecure and deprecated protocols. It's highly recommended to use more secure versions like TLSv1.2 or TLSv1.3.