For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Douglas_Wong_10's avatar
Douglas_Wong_10
Icon for Nimbostratus rankNimbostratus
Oct 12, 2006

Disablling SSL v2 to users with iRules

I'm looking at capturing users who use an older browser which negotiates with SSL v.2 and redirecting them to a page that basically tells them to upgrade.

 

 

My questions are these:

 

 

1) Can I use SSL::cipher version to determine if the user is using version 2, then redirecting them to this friendly page or should I use another SSL irule?

 

 

2) Do I need to terminate SSL on the LTM for this to work or can termination be done at the web server level?

 

 

Thanks...

 

 

 

application delivery
dev
devops
iRules

2 Replies

  • Douglas_Wong_10's avatar
    Douglas_Wong_10
    Icon for Nimbostratus rankNimbostratus
    Oct 13, 2006
    Thanks for your reply Hoolio.

     

     

    It sounds like I'll need to terminate SSL on BigIP, rather than installing the certificate on my Web Server directly for the SSL:: irules to work. Does that sound right to you?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 13, 2006
    It looks like that is correct. I think the logic is: if you're just passing the SSL traffic through the BIG-IP, BIG-IP never sees the SSL handshake--and therefore you can't access the SSL cert info or use SSL-based iRule commands. I'm not sure whether the client SSL cipher version info is snoop-able in between the client and the server, but I'm pretty sure BIG-IP isn't looking for it (if it is visible) anyhow.

     

     

    Regardless, you need to decrypt the HTTPS traffic in order to send an HTTP redirect back to the client.

     

     

    Aaron