Forum Discussion

Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Oct 10, 2017

Hi Leonardo,

unfortunately your iRule works only by "accident" since your 

[SSL::cipher version] <= "TLSv1"
expression performs a numerical lesser or equal comparsion on non-numeric values.

Basically you just check if the requested cipher version string has a lower order in the alphabet than "TLSv1" without checking if something is more secure than the other... 

"TLSv1.2" <= "TLSv1" = Allow
"TLSv1.1" <= "TLSv1" = Allow
"TLSv1" <= "TLSv1" = Block
"SSL3" <= "TLSv1" = Block
"SSL2" <= "TLSv1" = Block
"A" <= "TLSv1" = Block
"Z" <= "TLSv1" = Allow
"a" <= "TLSv1" = Block
"z" <= "TLSv1" = Block

To compare text strings reliable you should only use 

equals
, 
eq
, 
ne
, 
starts_with
, 
ends_with
and 
contains
directives and use 
==
, 
!=
, 
<=
and 
>=
only for pure numeric comparsions. 

when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] ne "TLSv1.1" ) 
     and ( [SSL::cipher version] ne "TLSv1.2" ) } then {
        log local0. "Denegacion SSL Handshake para el Cliente [IP::client_addr]:[TCP::client_port] usando [SSL::cipher version], [SSL::cipher name] y [SSL::cipher bits]"
        set invalid_ssl 1
    } else {
        set invalid_ssl 0
    }
}
when HTTP_REQUEST {
    if { $invalid_ssl } then {
        HTTP::redirect "http://www.example.com/example"
        TCP::close
        event disable all
        return
    }
}

Cheers, Kai