Forum Discussion

chungyu_16122's avatar
chungyu_16122
Icon for Altostratus rankAltostratus
May 05, 2015

irule to choose clientside SSL profile for LDAP VIP

Hi all

 

I have a VIP for our AD LDAP, while the majority of our clients can connect to TLS, some legacy apps still require SSLv3.

 

Has anyone created a iRule that detects a SSLv3 attempt and redirects the request to a different clientside SSL profile?

 

I have seen a few rules but nothing precise to what I would like to do.

 

Thanks

 

Chung

 

application delivery
devops
iRules
LTM
security

2 Replies

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    May 05, 2015

    I think not possible to switch dynamically based on SSL version. But should be able to switch the client SSL profile based on a pre-determined IP list on CLIENT_ACCEPTED event.

     

  • chungyu_16122's avatar
    chungyu_16122
    Icon for Altostratus rankAltostratus
    May 05, 2015

    I was thinking of collecting the in coming IP address:

     

    when CLIENTSSL_HANDSHAKE { if {[SSL::cipher version] eq "SSLv3"}{ log local0. "[IP::client_addr] [SSL::cipher version]" } }

     

    And then once I get a sufficient idea of the clients connecting to our AD service via SSLv3, I could do something like this:

     

    when CLIENT_ACCEPTED { if { [class match $SITE equals SSLv3_Client]} { SSL::profile ADC_LDAP_SSL3 } else { SSL::profile ADC_LDAP } }