For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

NiHo_202842's avatar
NiHo_202842
Icon for Cirrostratus rankCirrostratus
Aug 26, 2016

iRule event for SSL handshake fail?

Hi,   is there a way to detect that the client does not support any of the clientssl ciphers? I would like to show a static page saying to upgrade their browser/OS. Thanks!   Regards  
iRules
LTM
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Aug 26, 2016

Hi Niho,

you may use the iRule below as a startingpoint. It will analyse the used cipher settings of the underlying SSL connections and HTTP::redirect the client to an error page if the cipher settings doesn't meet the minimum requirements. 

when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] contains "SSL" ) or 
         ( [SSL::cipher name] contains "DES" ) or 
         ( [SSL::cipher name] contains "RC4" ) or
         ( [SSL::cipher bits] < 128 ) } then {
        log local0. "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits]"
        set invalid_ssl 1
    } else {
        set invalid_ssl 0
    }
}
when HTTP_REQUEST {
    if { $invalid_ssl } then {
        HTTP::redirect http://www.domain.de/errorpage.html
    }
}

Note: You have to enable unsecure cipher settings on you SSL profile to allow the usecure clients to establish a SSL/TLS channel using weak ciphers. Then use the iRule above to sort out the weak chiphers, encryption methods and unsecure key lenght as needed.

Cheers, Kai