For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
May 19, 2016

Custom Response Upon Denial with iRule.

We created an irule which denies a user access if they are not using TLS 1.1 or greater (so TLS1.0 or no TLS). We would like a custom message, and although it is in the iRule, that is not the message...
BIG-IP
irule
security
cjunior's avatar
cjunior
Icon for Nacreous rankNacreous
May 20, 2016

So, If you try the iRule below, what did you see in the /var/log/ltm file? 

when CLIENT_ACCEPTED {
    log local0. "=== Client 3WHS finished"
}
when CLIENTSSL_CLIENTHELLO {
    log local0. "=== Starting SSL negotiation: [SSL::cipher version]"
}
when CLIENTSSL_HANDSHAKE {
    log local0. "=== SSL negotiation completed: [SSL::cipher version]"
}
when HTTP_REQUEST {
    log local0. "=== HTTP request [SSL::cipher version]"

    if { not ([SSL::cipher version] starts_with "TLSv1.") } {

        log local0. "=== Current request blocked for SSL: [SSL::cipher version]"

        HTTP::respond 200 content {
            Maintenance page
             **********CUSTOM DENIAL MESSAGE HERE.**********
             } Content-Type text/html Connection close
    }
}
when HTTP_RESPONSE {
    log local0. "=== HTTP replied and flow OK"
}

Please, check your /var/log/ltm file: e.g. 

cat /var/log/ltm

May 20 17:47:19 bigiplab info tmm3[18141]: Rule /Common/rule_https : === Client 3WHS finished
May 20 17:47:19 bigiplab info tmm3[18141]: Rule /Common/rule_https : === Starting SSL negotiation: TLSv1.2
May 20 17:47:19 bigiplab info tmm3[18141]: Rule /Common/rule_https : === SSL negotiation completed: TLSv1.2
May 20 17:47:24 bigiplab info tmm3[18141]: Rule /Common/rule_https : === Begin HTTP request TLSv1.2
May 20 17:47:24 bigiplab info tmm3[18141]: Rule /Common/rule_https : === HTTP replied and OK


May 20 17:47:30 bigiplab info tmm3[18141]: Rule /Common/rule_https : === Client 3WHS finished
May 20 17:47:30 bigiplab info tmm3[18141]: Rule /Common/rule_https : === Starting SSL negotiation: TLSv1
May 20 17:47:30 bigiplab info tmm3[18141]: Rule /Common/rule_https : === SSL negotiation completed: TLSv1
May 20 17:47:33 bigiplab info tmm3[18141]: Rule /Common/rule_https : === Begin HTTP request TLSv1
May 20 17:47:33 bigiplab info tmm3[18141]: Rule /Common/rule_https : === Current request blocked for SSL: TLSv1

May 20 18:01:49 bigiplab info tmm[18141]: Rule /Common/rule_https : === Client 3WHS finished
May 20 18:01:49 bigiplab info tmm[18141]: Rule /Common/rule_https : === Starting SSL negotiation: SSLv3
May 20 18:01:49 bigiplab info tmm[18141]: Rule /Common/rule_https : === SSL negotiation completed: SSLv3
May 20 18:01:53 bigiplab info tmm[18141]: Rule /Common/rule_https : === HTTP request SSLv3
May 20 18:01:53 bigiplab info tmm[18141]: Rule /Common/rule_https : === Current request blocked for SSL: SSLv3

We're almost there, don't give up!

Best Regards.