For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jmgrange_337011's avatar
jmgrange_337011
Icon for Nimbostratus rankNimbostratus
Oct 09, 2017

iRule not being processed fully

We are testing and trying to hammer out an iRule that will take traffic for a specific URL/host [host3.example.com] and have it go to a weaker SSL Profile than is currently being used by the Virtual ...
application delivery
BIG-IP
iRules
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Oct 10, 2017

Hi jmgrange,

the short answer to get an A+ Qualys rating while maintaining support for Windows XP can be found here...

https://devcentral.f5.com/questions/howto-getting-an-awesome-qualys-ssl-labs-rating-feb-2017-update-51489

The long answer to your question is...

To switch and renegotiate from a high secure to a low secure Client-SSL-Profile for legacy clients you simply can not utilize the $1 event, because its already too late in the chain...

This a pure matter of "chicken or the egg": A client won't send the HTTP request before it has successfuly negotiated the SSL connection. In contrast you require that the legacy client has already send an HTTP request to become able to renegotiate the SSL connection using legacy SSL chipher settings. So in the end your renegotiation code will never become triggered by those clients who realy depend on it.^^

To still support your requested scenario you would need to identify the client (resp. its supported SSL capabilities) before the SSL handshake starts. But unfortunately this is a somewhat complicated approach and also costs a ton of CPU cycles. If my short answer does not meet your requirements, then you may take a look to Kevin Stewart SSL finger printing article to get an idea how complex this could be...

https://devcentral.f5.com/articles/tls-fingerprinting-a-method-for-identifying-a-tls-client-without-decrypting-24598

Cheers, Kai