For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
May 19, 2016

Custom Response Upon Denial with iRule.

We created an irule which denies a user access if they are not using TLS 1.1 or greater (so TLS1.0 or no TLS). We would like a custom message, and although it is in the iRule, that is not the message...
BIG-IP
irule
security
Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
May 19, 2016

Hello,

The irule below allow you to generate a custom message when the connection use a weak protocol :

when HTTP_REQUEST {

    switch -glob [SSL::cipher version] {
        "TLSv1.1" -
        "TLSv1.2" {
             Do nothing and allow the request
        }
        default {
            HTTP::respond 200 content \
            "<html><head><title>Maintenance page</title></head><body>
            <p align=center> **********CUSTOM DENIAL MESSAGE HERE.**********
            </p></body></html>" "Content-type" "text/html" 
                return
        }
    }
}

Tested on my lab with success. Just few commands on the bigip that can help you test : 

openssl s_client -connect 172.20.2.7:443 -tls1_1
openssl s_client -connect 172.20.2.7:443 -tls1_2
openssl s_client -connect 172.20.2.7:443 -tls1
openssl s_client -connect 172.20.2.7:443 -ssl3

when the ssl connection is established, you can type "GET /" and enter