Determine SSL client profile by client's TLS version

Hi Daniel, welcome aboard.

According to this SOL, it is not possible to use any SSL-related information derived after a CLIENTSSL_CLIENTHELLO event in order to chose an SSL-profile:

It is not possible to utilize SSL::extensions or other SSL commands to make a profile selection using the SSL::profile command. To select a profile based on the Client Hello contents, it is still required to manually interpret the raw TCP data in CLIENT_DATA. Though the Client Hello is where the client proposes ciphers, there is no command to access this information in the event.

As I understand that, this is caused by the fact that CLIENTSSL_CLIENTHELLO is triggered AFTER the selection of a clientssl profile. Hence, in order to solve this with an iRule, you will have to use TCP::collect and - as described in the above solution - manually interpret the raw TCP data in CLIENT_DATA. There might be some examples for that here on devcentral.

However, I could also think of another way to accomplish that: Can't you find another means of identifying your "newer" clients (e.g. user-agent) and redirect them (using http redirect) to a more secure virtual with higher-level clientssl profile AFTER the initial SSL handshake while leaving the others on the less-secure one? Might be easier to implement...

HTH,

Martin