iRule not being processed fully

Hi jmgrange,

the short answer to get an A+ Qualys rating while maintaining support for Windows XP can be found here...

https://devcentral.f5.com/questions/howto-getting-an-awesome-qualys-ssl-labs-rating-feb-2017-update-51489

The long answer to your question is...

To switch and renegotiate from a high secure to a low secure Client-SSL-Profile for legacy clients you simply can not utilize the $1 event, because its already too late in the chain...

This a pure matter of "chicken or the egg": A client won't send the HTTP request before it has successfuly negotiated the SSL connection. In contrast you require that the legacy client has already send an HTTP request to become able to renegotiate the SSL connection using legacy SSL chipher settings. So in the end your renegotiation code will never become triggered by those clients who realy depend on it.^^

To still support your requested scenario you would need to identify the client (resp. its supported SSL capabilities) before the SSL handshake starts. But unfortunately this is a somewhat complicated approach and also costs a ton of CPU cycles. If my short answer does not meet your requirements, then you may take a look to Kevin Stewart SSL finger printing article to get an idea how complex this could be...

https://devcentral.f5.com/articles/tls-fingerprinting-a-method-for-identifying-a-tls-client-without-decrypting-24598

Cheers, Kai