Forum Discussion
NimbostratusiRule - Reject SSL 3.0
Looking for assistance on whether this is possible with an iRule.
We have a vendor system behind an F5 and with the new SSL 3.0 the vendor has gotten back to us indicating they have no plans to disable SSL 3.0 or prevent against the new vulnerability. Stating it is a browser issue.
Upper management also doesn't want to open up the can of worms that is SSL offloading. I'm going through the iRule flag and I see SSL::cipher version.
Is it possible to match on this without needing to do offloading or changing too much in our current setup.
This is where I'm reviewing https://devcentral.f5.com/wiki/iRules.SSL__cipher.ashx
5 Replies
jgranieriHello
It seems you should be able to based on the wiki page you specified. What do you want the action to be if SSL version 3 is detected? assuming you want to reject the connection?
Do you want the F5 to respond with a warning message?
Nuttycomputer_1Default would be to just drop the packet... I'm thinking something like this is simple enough. Haven't touched iRules since a brief LTM training so I can't recall if I need to add a forward to pool or if the drop statement is enough:
when HTTP_REQUEST { Check Encryption type if { [SSL::cipher version] = SSLv3 }{ If SSLv3 Detected drop connection drop } }
jgranieri_42214drop or reject Rule 1 on VS1 when HTTP_REQUEST priority 100 { This event in this iRule runs first reject log local0. "Rejecting this request" }
- Nuttycomputer_1
Looks like the "SSL:cipher version" check does require an SSL profile for the virtual server. I wonder if there is another way to do this.
- Nuttycomputer_1
I may not have to completely re-invent the wheel though, looks like someone came up for a solution on TCP only balancing:
https://devcentral.f5.com/articles/irule-to-stop-sslv3-connections
I may play with it to tweak or add a redirect but it seems to be working
