Forum Discussion
LeonardoF5_1747
Nimbostratus
NimbostratusIrule Check SSL Version and Redirect
Just to share my irule to check SSL Cypher or Bits on SSL Handshake, and redirect to another url.
This working on Firefox,Chrome and IE.
when CLIENTSSL_HANDSHAKE {
if { ( [SSL::cipher version] <= "TLSv1" ) } {
log local0. "Denegacion SSL Handshake para el Cliente [IP::client_addr]:[TCP::client_port] usando [SSL::cipher version], [SSL::cipher name] y [SSL::cipher bits]"
set invalid_ssl 1
} else {
set invalid_ssl 0
}
}
when HTTP_REQUEST {
if { $invalid_ssl } then {
HTTP::redirect "http://www.example.com/example"
TCP::close
event disable all
return
}
}
Regards.
- Kai_Wilke
MVP
Hi Leonardo,
unfortunately your iRule works only by "accident" since your
expression performs a numerical lesser or equal comparsion on non-numeric values.[SSL::cipher version] <= "TLSv1"Basically you just check if the requested cipher version string has a lower order in the alphabet than "TLSv1" without checking if something is more secure than the other...
"TLSv1.2" <= "TLSv1" = Allow "TLSv1.1" <= "TLSv1" = Allow "TLSv1" <= "TLSv1" = Block "SSL3" <= "TLSv1" = Block "SSL2" <= "TLSv1" = Block "A" <= "TLSv1" = Block "Z" <= "TLSv1" = Allow "a" <= "TLSv1" = Block "z" <= "TLSv1" = BlockTo compare text strings reliable you should only use
,equals
,eq
,ne
,starts_with
andends_with
directives and usecontains
,==
,!=
and<=
only for pure numeric comparsions.>=when CLIENTSSL_HANDSHAKE { if { ( [SSL::cipher version] ne "TLSv1.1" ) and ( [SSL::cipher version] ne "TLSv1.2" ) } then { log local0. "Denegacion SSL Handshake para el Cliente [IP::client_addr]:[TCP::client_port] usando [SSL::cipher version], [SSL::cipher name] y [SSL::cipher bits]" set invalid_ssl 1 } else { set invalid_ssl 0 } } when HTTP_REQUEST { if { $invalid_ssl } then { HTTP::redirect "http://www.example.com/example" TCP::close event disable all return } }Cheers, Kai
