Forum Discussion
NimbostratusIrule for redirect to error page when the client request from weak ciphers
Hi Team,
I have an irule which will redirect to error page when the client comes from weak ciphers after SSL Handshake completion.
Can Someone pls help me on what needs to be done with the below irule to intercept it sooner, the I-rule should check and redirect to error page during initial SSL Handshake from client to F5.
when HTTP_REQUEST { log local0. "VIP connection request before if statement Client Source IP: [IP::client_addr]:[TCP::client_port] with [SSL::cipher name] and [SSL::cipher bits] " if { [SSL::cipher name] equals "RC4" && [SSL::cipher name] equals "SSLV3" && [SSL::cipher name] equals "3DES" } then {
HTTP::redirect }
}
Regards Visvesh.
7 Replies
- Kai_Wilke
MVP
Hi Visvesh,
this is unfortunately not possible.
Browsers wouldn't speak HTTP before the SSL handshake is complete. Therefore you can't use
in earlier stages to redirect to a friendly errorpage.[HTTP::redirect]BTW: Are your sure that your outlined iRule is working? You're using a
operator (aka. AND) to deny the different chipher suites, but the result can be always be just one of the values. An&&
operator (aka. OR) would make more sense. In this case only one of the listed weak-chiphers is needed to trigger the redirect...||Cheers, Kai
Visvesh_138292Thanks a lot for your response Kai...
I haven't tested this I-rule yet...As you suggested I will use "||" instead of "&&".
Also is there any way to enable the log with this irule for the blocked ciphers.
Regards Visvesh.
- Kai_Wilke
Hi Visvesh,
you can use the iRule below as a startingpoint.
It performs the chipher checks during
to speed up keep-alive sessions. And then just triggers theCLIENTSSL_HANDSHAKE
during[HTTP::redirect]
to send the friendly error message...HTTP_REQUESTwhen CLIENTSSL_HANDSHAKE { if { ( [SSL::cipher version] contains "SSL" ) or ( [SSL::cipher name] contains "DES" ) or ( [SSL::cipher name] contains "RC4" ) or ( [SSL::cipher bits] < 128 ) } then { log local0. "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits]" set invalid_ssl 1 } else { set invalid_ssl 0 } } when HTTP_REQUEST { if { $invalid_ssl } then { HTTP::redirect http://www.domain.de/errorpage.html } }You may also take a look to Stephans chipher sheet if you need to tweak the contained chipher values.
https://devcentral.f5.com/questions/tmos-ssl-tls-cipher-cheat-sheetanswer131007
Cheers, Kai
- Visvesh_138292
Hi Kai, Thanks for providing the irule.
What is invalid_ssl 1 and invalid_ssl 0 in Set syntax?
Also I see in the redirection it's used invalid_ssl not "invalid_ssl 1 and 0".
set invalid_ssl 1 } else { set invalid_ssl 0 }
Regards Visvesh.
- Kai_Wilke
Hi Visvesh,
the
is a variable to store the result of the check. The name of the variable is free text and can be changed to whatever you want.set invalid_ssl 1A
is a little faster thanif { $invalid_ssl } then { ... }
but is performing the same. It will both trigger the containedif { $invalid_ssl == 1 } then { ... }
action as long[HTTP::redirect]
is set to 1.$invalid_sslCheers, Kai
- Visvesh_138292
Thanks a lot Kei...I will test this irule and update you the results.
Regards Visvesh
- Kai_WilkeFine. Let me know if it works out, or if you need additional assitence... ;-)
