Forum Discussion

David_Broach_20's avatar
David_Broach_20
Icon for Nimbostratus rankNimbostratus
Sep 16, 2008

Identify Client Cipher Strength

I saw on this forum where someone was redirecting on lower cipher strength. We want to only allow clients connecting at 128 bit or higher and I know how to do that via the client profile. However, bef...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Sep 16, 2008
What type of information are you looking to get about the weak encryption clients?

You could either check the access logs for the URL you're redirecting them to, or you could log details in the rule itself:

http://devcentral.f5.com/wiki/default.aspx/iRules/RedirectOnWeakEncryption.html 

 
 when HTTP_REQUEST { 
  
     check for at least 128 bits of encryption 
    if { [SSL::cipher bits] < 128 }{ 
  
        when browser cannot do at least 128 bits of encryption log client details 
       log local0. "Client IP:port: [IP::client_addr]:[TCP::client_port], Host/URI [HTTP::host][HTTP::uri],\ 
          User-Agent: [HTTP::header User-Agent], Auth header: [HTTP::header Authorization], cipher bits: [SSL::cipher bits]" 
  
        and redirect to a un-encrypted page with an informational error 
       HTTP::redirect "http://10.10.10.10/error/sslerr.html" 
    } 
 }

Aaron