For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
May 19, 2016

Custom Response Upon Denial with iRule.

We created an irule which denies a user access if they are not using TLS 1.1 or greater (so TLS1.0 or no TLS). We would like a custom message, and although it is in the iRule, that is not the message...
BIG-IP
irule
security
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
May 19, 2016

Hello,

The irule below allow you to generate a custom message when the connection use a weak protocol :

when HTTP_REQUEST {

    switch -glob [SSL::cipher version] {
        "TLSv1.1" -
        "TLSv1.2" {
             Do nothing and allow the request
        }
        default {
            HTTP::respond 200 content \
            "<html><head><title>Maintenance page</title></head><body>
            <p align=center> **********CUSTOM DENIAL MESSAGE HERE.**********
            </p></body></html>" "Content-type" "text/html" 
                return
        }
    }
}

Tested on my lab with success. Just few commands on the bigip that can help you test : 

openssl s_client -connect 172.20.2.7:443 -tls1_1
openssl s_client -connect 172.20.2.7:443 -tls1_2
openssl s_client -connect 172.20.2.7:443 -tls1
openssl s_client -connect 172.20.2.7:443 -ssl3

when the ssl connection is established, you can type "GET /" and enter

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    May 20, 2016
    Hi Yann, it's only to register that I can't understand when my code will fail, as it return TLSv1 instead of TLSv1.0. Am I really wrong? Regards, (tested in v.12.0.0 and v11.6.0) log local0. "=== \[SSL::cipher version\]: [SSL::cipher version]" : === [SSL::cipher version]: TLSv1 : === [SSL::cipher version]: TLSv1.1 : === [SSL::cipher version]: TLSv1.2