Forum Discussion
NiHo_202842
Cirrostratus
Aug 26, 2016iRule event for SSL handshake fail?
Hi,
is there a way to detect that the client does not support any of the clientssl ciphers?
I would like to show a static page saying to upgrade their browser/OS. Thanks!
Regards
Kai_Wilke
MVP
Aug 26, 2016Hi Niho,
you may use the iRule below as a startingpoint. It will analyse the used cipher settings of the underlying SSL connections and HTTP::redirect the client to an error page if the cipher settings doesn't meet the minimum requirements.
when CLIENTSSL_HANDSHAKE {
if { ( [SSL::cipher version] contains "SSL" ) or
( [SSL::cipher name] contains "DES" ) or
( [SSL::cipher name] contains "RC4" ) or
( [SSL::cipher bits] < 128 ) } then {
log local0. "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits]"
set invalid_ssl 1
} else {
set invalid_ssl 0
}
}
when HTTP_REQUEST {
if { $invalid_ssl } then {
HTTP::redirect http://www.domain.de/errorpage.html
}
}
Note: You have to enable unsecure cipher settings on you SSL profile to allow the usecure clients to establish a SSL/TLS channel using weak ciphers. Then use the iRule above to sort out the weak chiphers, encryption methods and unsecure key lenght as needed.
Cheers, Kai
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects