For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_Broach_20's avatar
David_Broach_20
Icon for Nimbostratus rankNimbostratus
Sep 16, 2008

Identify Client Cipher Strength

I saw on this forum where someone was redirecting on lower cipher strength. We want to only allow clients connecting at 128 bit or higher and I know how to do that via the client profile. However, before "pulling the plug" on that setting I would like to use an irule to identify if anyone is connecting at a lower strenght and if so who they are. Thanks in advance for any help.

 

 

David
application delivery
dev
devops
iRules

6 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 16, 2008
    What type of information are you looking to get about the weak encryption clients?

    You could either check the access logs for the URL you're redirecting them to, or you could log details in the rule itself:

    http://devcentral.f5.com/wiki/default.aspx/iRules/RedirectOnWeakEncryption.html 

     
 when HTTP_REQUEST { 
  
     check for at least 128 bits of encryption 
    if { [SSL::cipher bits] < 128 }{ 
  
        when browser cannot do at least 128 bits of encryption log client details 
       log local0. "Client IP:port: [IP::client_addr]:[TCP::client_port], Host/URI [HTTP::host][HTTP::uri],\ 
          User-Agent: [HTTP::header User-Agent], Auth header: [HTTP::header Authorization], cipher bits: [SSL::cipher bits]" 
  
        and redirect to a un-encrypted page with an informational error 
       HTTP::redirect "http://10.10.10.10/error/sslerr.html" 
    } 
 }

    Aaron
  • David_Broach_20's avatar
    David_Broach_20
    Icon for Nimbostratus rankNimbostratus
    Sep 16, 2008
    As I mentioned in my post I would like to identify any of our clients connecting at a lower cipher strength before doing something like redirecting them. So to answer your question I am looking for any information to help identify them...source IP, Host,...in the irule you posted where is this loging to?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 16, 2008
    By default local0.* gets logged to the /var/log/ltm log file. You could just log and comment out the redirect to start with.

     

     

    Aaron
  • Tim_94722's avatar
    Tim_94722
    Icon for Nimbostratus rankNimbostratus
    Sep 18, 2008
    This post is very helpful regarding redirect on week Encryption, I want to create a iRule display or redirect customer to a page telling them they have low cipher strength and need to have SSLv3 and TLSv1.0 enabled for their browser. I was looking into the F5 Dev site and found this http://devcentral.f5.com/wiki/default.aspx/iRules/RedirectOnWeakEncryption.html , but it only works for browser lower than 128 bit encryption, I need it for SSLv3 and TLSv1.0 as well. Is there a way to do this? can you please help? Thanks.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 19, 2008
    Hi Tung,

     

     

    You can check this post and the SSL::cipher version wiki page for some examples:

     

     

    HTTPS Redirects (Click here)

     

     

    SSL::cipher (Click here)

     

     

    Aaron