Enforcing SSL Ciphers from target external IP's?

Question

Is it possible with iRules for me to enforce a SSL cipher level for a select group of external IP's that are accessing a shared website?&nbsp;
&nbsp;Thanks for anyone that can spare some advice or if possible a starting point.&nbsp;&nbsp;

joe_pruitt · Answer

Sure it's possible.  The questions is how many external IPs are you looking at.  Is it a list of addresses, or subnets.  
Here's how you could do it for a set of fixed addresses*** Begin Data Group ***
class valid_addresses {
  "10.10.10.10"
  "10.10.10.11"
  "10.10.10.12"
}
*** Begin iRule ***
when HTTP_REQUEST {
  if { [matchclass [IP::client_addr] equals $::valid_addresses] } {
     check for at least 128 bits of encryption
    if { [SSL::cipher bits] &lt; 128 }{
       when browser cannot do at least 128 bits of encryption redirect
       to a un-encrypted page with an informational error
      HTTP::redirect http://10.10.10.10/error/sslerr.html
    }
  }
}
This should at least get you started...
-Joe

Forum Discussion

Enforcing SSL Ciphers from target external IP's?

Recent Discussions

F5 BOT DEFENSE AWAF blocked some legitimate browsers

Advice to partial rename uri path

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Submenus missing in ASM Security Tab

XC Bot defense question

Related Content

Enforce Server Cipher proposal in preferred order

Cipher Suite Practices and Pitfalls

LTM Cipher rule

Disabling Weak Ciphers

Disable below cipher

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS