Forum Discussion

JBLACKBERRY_888's avatar
JBLACKBERRY_888
Icon for Nimbostratus rankNimbostratus
Sep 18, 2023

HELP CREATING IRULE FOR ACCORDING SSL VERSION RESPONSE WITH HTML PAGE

Hello,

I am trying to create / homologate a rule from a citrix balancer(netscaler) to a F5 because of a brand migration, however I have not been able to find the configuration for the rule which I will detail below:

EXPRESSION:

(CLIENT.SSL.VERSION.EQ(0x301)||CLIENT.SSL.VERSION.EQ(0x302))&&(CLIENT.IP.SRC.EQ(x.x.x.x)||CLIENT.IP.SRC.EQ(y.y.y.y)||CLIENT.IP.SRC.EQ(x.x.y.y)||CLIENT.IP.SRC.EQ(y.y.x.x)||CLIENT.IP.SRC.EQ(x.y.x.y)).NOT


ACTION:

TYPE: Respond with HTML PAGE (response status code :200)

HTML PAGE:

 
<!DOCTYPE HTML>
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>XXXXXXXX - Not Support TLS 1.2</title>
    <style>
        body {
            margin:0;
            padding:0;
            font-size: 16px;
background-color:#F9F9F9;
        }
        .container {
          display: flex;
          align-items: center;
          justify-content: center;
          height: 100vh;
        }
 
        .content {
          max-width: 50%;
          width: 800px;
          height: auto;
          text-align: center;
          font-family: Calibri, Arial, Verdana;
          padding: 15px;
        -webkit-box-shadow: 10px 10px 7px -4px rgba(0,0,0,0.55);
        -moz-box-shadow: 10px 10px 7px -4px rgba(0,0,0,0.55);
        box-shadow: 10px 10px 7px -4px rgba(0,0,0,0.55);          
          border:1px solid #CCC;
  background-color:#FFFFFF;
        }       
        .title {
            font-size: 2.5rem;
            color:#c70000;
            margin: 20px 0px;
        }
        .description {
            color:#606060;
            font-size: 1.1rem;
        }
        .ico {
            width: 221px;
            height: 58px;
        }
        
        a:link { color: rgba(0,166,201,1); text-decoration: none;  }
        a:active { color: rgba(0,166,201,1); text-decoration: none;  }
a:visited { color: rgba(0,166,201,1); text-decoration: none;  }
        a:hover { color: rgba(0,166,201,1); text-decoration: underline;  }
    </style>
</head>
<body>
    <div class="container">
        <div class="content">
           
            <p class="title">Su navegador no soporta TLS 1.2</p>
            <div class="description">Actualmente su versi&oacuten del navegador no est&aacute soportando la versi&oacuten de TLS 1.2 o superior.</div>
<p></p>
<div class="description">Por motivos de seguridad y protecci&oacuten de su informaci&oacuten, por favor actualice su </div>
<div class="description">navegador a la versi&oacuten m&aacutes reciente para acceder a los servicios web de XXXXXX.</div>
<p></p>
<div class="description">Comun&iacutequese con el departamento de Tecnolog&iacutea de su entidad para solicitar la</div>
<div class="description">actualizaci&oacuten de su navegador y de esta manera restaurar su acceso a estos servicios.</div>
<p></p>
<div class="description">En caso de no contar con soporte de Tecnolog&iacutea en su empresa, podr&aacuten encontrar </div>
<div class="description">informaci&oacuten sobre c&oacutemo realizar la actualizaci&oacuten usted mismo descargando un instructivo</div>
<div class="description">en el siguiente link:  <a href="httpLINK">httpLINK</a></div>
<p></p>
<div class="description">Para XXXXXX lo m&aacutes importante es proteger la seguridad de su informaci&oacuten. </div>
    <p><a href="httpLINKXXXXXX">&copy; XXXXXX</a></p>
</div>
    </div>
</body>
</html>
 
 
Thank you for your support and help.
 

Edited by Leslie_Hubertus to remove actual links. 

application delivery
devops
  • whisperer's avatar
    whisperer
    Icon for MVP rankMVP
    Sep 21, 2023

    It is definitely possible on the F5. I would start by saving the HTML you want to serve up as an iFile. Then, on the Virtual Server, you will need to make sure you have an SSL Client profile, and of course HTTP profile applied. Once you have that in place, we can setup the iRule with the logic you are looking for.

    Take a look here for starters:

    https://clouddocs.f5.com/api/irules/ifile.html

  • whisperer's avatar
    whisperer
    Icon for MVP rankMVP
    Sep 22, 2023

    Here is what else I found:

    The SSL/TLS version will be written as hex. 0x303 is TLS 1.2, 0x302 is TLS 1.1, 0x301 is TLS 1.0, 0x300 is SSL 3.0

    So essentially, you are blocking TLS 1.0 and TLS 1.1 for all source IPs except for a small specific set (maybe internal testers? important executive people not wanting to upgrade their laptop? idk).

    So, you will need to capture the encryption type via the following:

     

     

    when CLIENTSSL_CLIENTHELLO {
  set ssl_version [SSL::cipher version]
}
when HTTP_REQUEST {
  if { (not ([IP::addr [IP::client_addr] equals 10.10.10.10] or [IP::addr [IP::client_addr] equals 10.10.10.20] or [IP::addr [IP::client_addr] equals 10.10.10.30])) and ($ssl_version equals "TLSv1" or $ssl_version equals equals "TLSv1.1") } {
    HTTP::respond 200  content [ifile get web_page] "Content-Type" "text/html;charset=utf-8"
  }
}