Disablling SSL v2 to users with iRules

Question

I'm looking at capturing users who use an older browser which negotiates with SSL v.2 and redirecting them to a page that basically tells them to upgrade.&nbsp;
&nbsp;My questions are these:&nbsp;
&nbsp;1) Can I use SSL::cipher version to determine if the user is using version 2, then redirecting them to this friendly page or should I use another SSL irule?&nbsp;
&nbsp;2) Do I need to terminate SSL on the LTM for this to work or can termination be done at the web server level?&nbsp;
&nbsp;Thanks...&nbsp;&nbsp;&nbsp;

douglas_wong_10 · Answer

Thanks for your reply Hoolio. &nbsp;
&nbsp;It sounds like I'll need to terminate SSL on BigIP, rather than installing the certificate on my Web Server directly for the SSL:: irules to work. Does that sound right to you?

hoolio · Answer

It looks like that is correct.  I think the logic is: if you're just passing the SSL traffic through the BIG-IP, BIG-IP never sees the SSL handshake--and therefore you can't access the SSL cert info or use SSL-based iRule commands.  I'm not sure whether the client SSL cipher version info is snoop-able in between the client and the server, but I'm pretty sure BIG-IP isn't looking for it (if it is visible) anyhow.&nbsp;
&nbsp;Regardless, you need to decrypt the HTTPS traffic in order to send an HTTP redirect back to the client.&nbsp;
&nbsp;Aaron

Forum Discussion

Disablling SSL v2 to users with iRules

Recent Discussions

Statistics ›› Analytics : HTTP : Overview

VS FORWARDING & ROUTE

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

Related Content

iRules: Disabling Event Processing

DEVCENTRAL END-USER LICENSE AGREEMENT

Securing the LLM User Experience with an AI Firewall

Disable cookie persistance in irule

Disabling Specific Weak Cipher Suites

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS