Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

JBLACKBERRY_888's avatar
JBLACKBERRY_888
Icon for Nimbostratus rankNimbostratus
Sep 18, 2023

HELP CREATING IRULE FOR ACCORDING SSL VERSION RESPONSE WITH HTML PAGE

Hello, I am trying to create / homologate a rule from a citrix balancer(netscaler) to a F5 because of a brand migration, however I have not been able to find the configuration for the rule which I ...
application delivery
devops
whisperer's avatar
whisperer
Icon for MVP rankMVP
Sep 22, 2023

Here is what else I found:

The SSL/TLS version will be written as hex. 0x303 is TLS 1.2, 0x302 is TLS 1.1, 0x301 is TLS 1.0, 0x300 is SSL 3.0

So essentially, you are blocking TLS 1.0 and TLS 1.1 for all source IPs except for a small specific set (maybe internal testers? important executive people not wanting to upgrade their laptop? idk).

So, you will need to capture the encryption type via the following:

 

 

when CLIENTSSL_CLIENTHELLO {
  set ssl_version [SSL::cipher version]
}
when HTTP_REQUEST {
  if { (not ([IP::addr [IP::client_addr] equals 10.10.10.10] or [IP::addr [IP::client_addr] equals 10.10.10.20] or [IP::addr [IP::client_addr] equals 10.10.10.30])) and ($ssl_version equals "TLSv1" or $ssl_version equals equals "TLSv1.1") } {
    HTTP::respond 200  content [ifile get web_page] "Content-Type" "text/html;charset=utf-8"
  }
}