For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
May 19, 2016

Custom Response Upon Denial with iRule.

We created an irule which denies a user access if they are not using TLS 1.1 or greater (so TLS1.0 or no TLS). We would like a custom message, and although it is in the iRule, that is not the message...
BIG-IP
irule
security
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
May 24, 2016

Hi,

You can try this : 

when HTTP_REQUEST {
    if { not ([SSL::cipher version] starts_with "TLSv1.") } {
        HTTP::respond 200 content [ifile get message.html] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Connection Close
    }
}
  • gdoyle's avatar
    gdoyle
    Icon for Cirrostratus rankCirrostratus
    May 25, 2016
    I tried what you suggested, but the connection does not get denied. Instead of goes right to the page as if TLS1.0 is allowed. This is supposed to happen, except it should be redirected to the custom message page. Is something missing from that rule that would redirect it to the ifile or that would fail to call the ifile?
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 25, 2016
    Hi, the irule is correct. I validated it on my lab. I think that you negociate TLS1.1 or TLS1.2 instead of TLS1.0 for testing