F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Visvesh_138292's avatar
Visvesh_138292
Icon for Nimbostratus rankNimbostratus
Jan 08, 2016

Irule for redirect to error page when the client request from weak ciphers

Hi Team,   I have an irule which will redirect to error page when the client comes from weak ciphers after SSL Handshake completion.   Can Someone pls help me on what needs to be done with the ...
devops
iRules
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 08, 2016

Hi Visvesh,

you can use the iRule below as a startingpoint.

It performs the chipher checks during 

CLIENTSSL_HANDSHAKE
to speed up keep-alive sessions. And then just triggers the 
[HTTP::redirect]
during 
HTTP_REQUEST
to send the friendly error message...

when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] contains "SSL" ) or 
         ( [SSL::cipher name] contains "DES" ) or 
         ( [SSL::cipher name] contains "RC4" ) or
         ( [SSL::cipher bits] < 128 ) } then {
        log local0. "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits]"
        set invalid_ssl 1
    } else {
        set invalid_ssl 0
    }
}
when HTTP_REQUEST {
    if { $invalid_ssl } then {
        HTTP::redirect http://www.domain.de/errorpage.html
    }
}

You may also take a look to Stephans chipher sheet if you need to tweak the contained chipher values.

https://devcentral.f5.com/questions/tmos-ssl-tls-cipher-cheat-sheetanswer131007

Cheers, Kai