For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

besogon_9363's avatar
besogon_9363
Icon for Nimbostratus rankNimbostratus
Nov 01, 2015

irule to catch RC4

Hello,

 

Can someone please help with an irule to catch connections using RC4?

 

I am guessing I would have to use SSL::cipher name, but not sure how the irule would look like.

 

Thank you in advance

 

I tried this below, but it does not work

 

when HTTP_REQUEST {

 

switch -glob [SSL::cipher name ] { "RC4.*" } { log local0. "[IP::client_addr]:[TCP::client_port]:\ [SSL::cipher version]: [SSL::cipher version],\ [SSL::cipher name]: [SSL::cipher name],\ [SSL::cipher bits]: [SSL::cipher bits]]" } }

 

1 Reply

  • rob_carr's avatar
    rob_carr
    Icon for Cirrocumulus rankCirrocumulus
    Nov 01, 2015

    A couple of points:

    1) How do you know your iRule isn't working? In versions 11.6 and 12.0, RC4 isn't available by default, so unless you've modified the cipher string in use with your clientssl profile, you will never match on [SSL::cipher name] being equal to "RC4.*"

    2) Your code assumes that all RC4 ciphers begin with the string RC4. This may or may not be true, depending on the version of BIG-IP software you have in use and what the client suggests when connecting.

    I would suggest logging the ciphers in use a few times just to verify that and which RC4 ciphers are in use.

    3) Why use a switch here, as you have only one matching condition? What you are trying to do could be done easily with an if statement.

     

    
when HTTP_REQUEST {
  if { [SSL::cipher name] contains "RC4" } {
    log local0.info "Your log string goes here"
  }
}

     

    I haven't tried out this code, so no guarantee that it works properly.