Forum Discussion

Nimbostratus

Nov 21, 2013

iRule for redirecting 128bit RC4-md5 and 128bit RC4-SHA to webpage

Hello I have been asked to deny or block 128bit RC4-md5 and 128bit RC4-SHA user reqeust, so I wrote following iRule when HTTP_REQUEST { log local0. "VIP connection request before if statem...

Employee

Nov 22, 2013

An HTTP_REQUEST does in fact come after the TCP and SSL handshakes, and the SSL::cipher command is only going to return the chosen cipher AFTER the SSL handshake, which means the command is only valid in SSL event and above. If you're looking at the SSL handshake in the network capture, you're going to see the client present a list of supported ciphers, one of which will invariably be RC4-MD5. The BIG-IP, however, will never choose that cipher unless you've specifically allowed it in your client SSL profile.

If you're looking to reject any browser that presents RC4-MD5 as a supported cipher, then you're most likely going to reject EVERY browser. I also tested your cipher string, and every browser on a Win7x64 system negotiated RC4-MD5.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

iRule for redirecting 128bit RC4-md5 and 128bit RC4-SHA to webpage

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Terraform LTM provider - ICMP disabled on resulting VIPs

Need to make 2 Virtual Appliance in r4600 F5

Disabling signature for a URL

XC - geo LB to the origin servers

F5 LACP

Related Content

F5 HTTPS Redirect 2025

(HTTP) Redirection via Arbitrary Host Header

Rewriting Redirects

Anchor Link Redirect

URI Redirect

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS