Forum Discussion

Ian_Amos_37833's avatar
Ian_Amos_37833
Icon for Nimbostratus rankNimbostratus
Sep 26, 2007

Enforcing 128-bit SSL encryption

Hi all,

I would like to force clients to use a 128-bit browser when connecting to a site with a 128-bit Verisign cert.

I have found this iRule on the forums :

when HTTP_REQUEST {
   if { [SSL::cipher bits] < 128 }{
      HTTP::respond 402 content "This web site requires 128 bit encryption or higher.\
  Please update your browser and try again."
   }
}

which looks fine, but is there a way to permanently stop the F5 from even negotiating to a weaker encryption? I'm already running a number of balancing decisions based on the HTTP Request, so don't really want to add this to the mix too.

Looking on the VeriSign website, I see this is easy to do on a MS IIS server (just change an option in the properties), but they were unable to help with the F5.

Any ideas?

Thanks
config
design
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Sep 27, 2007
    Hi Ian -

     

     

    You can set the cipher spec in the related clientssl profile -- just change the value of "Ciphers" from "DEFAULT" to "DEFAULT:!EXPORT40:!EXP:!LOW"

     

     

    More info here:

     

    https://tech.f5.com/home/solutions/sol7815.html (Click here)

     

     

    /deb
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Sep 27, 2007
    "Ciphers" option is found in the Advanced configuration window of the clientssl profile.

     

  • Ian_Amos_37833's avatar
    Ian_Amos_37833
    Icon for Nimbostratus rankNimbostratus
    Sep 27, 2007
    Hi Deb,

     

     

    Excellent! Having read the details on VeriSign's site for MS servers, I was looking under Local Traffic/SSL Certificates..

     

     

    Using Profiles is much better.

     

     

    Thanks