Forum Discussion
AltostratusDetect SSLv3 and Create a list of incoming IP addresses using SSLv3
Hi all
I currently unable to migrate all services away from SSLv3 due to some legacy applications. I have created an iRule which allowed me to look at a Data Group list and send users to a SSLv3 or TLS ClientSide profile.
when CLIENT_ACCEPTED { log local0. "[IP::client_addr]" if { [class match [IP::client_addr] equals SSLv3_Client]} { SSL::profile ADC_LDAP_SSL3 } else { SSL::profile ADC_LDAP }
Does anyone have a suggestion on creating an iRule to log all the incoming SSLv3 IP addresses?
Thanks
5 Replies
- Kevin_Stewart
Employee
You should already have what you're looking for with the exception of an additional log line:
when CLIENT_ACCEPTED { log local0. "[IP::client_addr]" if { [class match [IP::client_addr] equals SSLv3_Client] } { log local0. "Incoming SSLv3 client: [IP::client_addr]" SSL::profile ADC_LDAP_SSL3 } else { SSL::profile ADC_LDAP } }or are you trying to log all clients that establish an SSLv3 connection (versus what's defined in the datagroup)?
- Kevin_Stewart
But one of the testers said it was not working.
Can you elaborate on how it's not working? Was it breaking page access? Not logging the SSLv3 connection?
chungyu_16122Hi Kevin
Here is what I got from our developer -
It seems to me when the call from the oracle databases to the site, the condition “if {[SSL::cipher version] eq "SSLv3"}” does not work, or at least it cannot get the cipher version
Thanks
Chung
- Kevin_Stewart
Understood, but if you do the following, do you see any ciphers listed:
when CLIENTSSL_HANDSHAKE { log local0. "[IP::client_addr] - [SSL::cipher version]" } - chungyu_16122
Awesome, thanks alot, it is working for me.
Regards
chung
