Forum Discussion
dennypayne
Employee
EmployeeDetecting TLS v1.1
Does anyone know what string (if anything) LTM 9.4.x will return for [SSL::cipher version] if the client is using TLS v1.1 (ie Opera)?
I'm trying to account for the possibility of a TLS v1.1 request coming into the following iRule and I haven't yet been able to actually create a v1.1 request to determine what the correct string might be...
Denny
when HTTP_REQUEST {
get encryption strength
set ver [SSL::cipher version]
set strength [SSL::cipher bits]
Is client SSLv3 or TLSv1 and at least 128 bit?
if { ($ver == "SSLv3") or ($ver == "TLSv1") } {
if { $strength < 128 } {
HTTP::redirect "http://www.domain.com/upgradebrowser.html"
}
}
else {
HTTP::redirect "http://www.domain.com/upgradebrowser.html"
}
}
3 Replies
- Why not just set no SSLv2 on your Client Profile? The error message isn't as friendly, but SSLv2 has serious security flaws and has been replaced with SSLv3 since 1996.
Either that or turn it on its head and match $ver == "SSLv2", which is only one comparision and will therefore save you a few cpu cycles. Also standards will continue to evolve and TLS 1.2 was approved in august - dennypayneAnd actually in my testing IE doesn't even get an error message, it just silently fails to connect to the site if forced to use SSL v2. So the customer feels the need to mitigate this with an error page with instructions.
Denny - Denny,
You'll need to find a REALLY old browser that only supports SSLv2 to get any meaningful results. Any modern browser will avoid SSLv2 like the plague for obvious reasons (Glaring security holes).
If you want to test with a modern browser, a tcpdump / SSLDump will probably give you a reasonable idea of how far its getting (Does it fail at key negociation or does it send a http request).
Also, have you got Ciphers set to ALL on your SSL Profile? If its default, it might not have any compatible Ciphers availible, even though SSLv2 is not explicitly disabled.
