Forum Discussion
iRule and SSL Cipher Blocking URL Access
Hello,
We want to disable TLSv1.0 via the SSL profile on our VIPs. I have a new SSL profile that does that with the below format.
DEFAULT:!SSLv3:!RC4:!TLSv1
We ALSO want to direct any TLSv1.0 traffic to our own HTML page. I've created an iRule for that, shown below.
when HTTP_REQUEST {
if { [SSL::cipher version] eq "TLSv1" } {
HTTP::respond 200 content [ifile get "/Common/NoTLSv10_iFile"] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" "Connection" "Close"
} else {
log local0. "SSL Protocol version [SSL::cipher version]"
}
}
I validated that the iRule works as expected when applied to the HTTPS VIP and testing with IE with only TLSv1.0 enabled.
HOWEVER, my testing today WITH the new SSL profile is not getting the same results. Testing with IE with only TLSv1.0 enabled routes traffic to an internet search, not to our html page.
I have the iRule applied to our HTTPS VIP. We have both HTTP and HTTPS for each VIP but there is a HTTP to HTTPS redirect iRule applied to the HTTP VIPs.
I'm trying various iterations of ordering the two iRules on the HTTP VIP but not having any success.
The end goal is twofold:
- block TLSv1.0 traffic
- send any TLSv1.0 traffic to our HTML page
There's clearly something conflicting but I'm not able to determine how to resolve.
I appreciate any assistance that can be provided.
Diane
the problem is that you can't have it both ways, if you don't allow TLS 1.0 then you can't show a page on a TLS 1.0 connection. there never will be a TLS 1.0 connection, it will fail.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com