For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Humair_167681's avatar
Humair_167681
Icon for Nimbostratus rankNimbostratus
Aug 06, 2015

iRule to log SSL cipher version

Hi all,   I need to know which of the following iRules would log,   Requested Ciphers Agreed Cipher the fact that a cipher was not agreed, so connection was not allowed. iRule 1: when CL...
application delivery
deployment
devops
iRules
LTM
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 06, 2015

So funny thing. I was working on a binary scan iRule to pull the client's cipher list out of the ClientHello message, almost finished, then Jason Rahm tells me he's already done this... 😉

 

https://devcentral.f5.com/articles/irules-101-17-mapping-protocol-fields-with-the-binary-scan-command

 

And so not to reinvent the wheel, here's a customization of that code:

 

when CLIENT_ACCEPTED {
    TCP::collect
}
when CLIENT_DATA {
    binary scan [TCP::payload] cSS rtype sslver rlen

    if { $rtype == 22 } {

        Collect rest of the record if necessary
        if { [TCP::payload length] < $rlen } {
            TCP::collect $rlen
        }

        skip record header and random data
        set field_offset 43

        set the offset
        binary scan [TCP::payload] @${field_offset}c sessID_len
        set field_offset [expr {$field_offset + 1 + $sessID_len}]

        Get cipherlist length
        binary scan [TCP::payload] @${field_offset}S cipherList_len

        Get ciphers, separate into a list of elements
        set field_offset [expr {$field_offset + 2}]
        set cipherList_len [expr {$cipherList_len * 2}]
        binary scan [TCP::payload] @${field_offset}H${cipherList_len} cipherlist

        set clist [list]
        for { set i 0 } { $i < [string length $cipherlist] } { incr i 4 } {
            lappend clist [string range $cipherlist $i [expr $i + 3]]
        }
        set cliststr [join $clist ","]
        log local0. "Client: [IP::client_addr] attempts SSL with ciphers: $cliststr"
    }
    TCP::release
}
when CLIENTSSL_HANDSHAKE {
    log local0. "Client: [IP::client_addr] successfully negotiates [SSL::cipher name]"
}

From that you'll get log statements like the following:

 

: Client: 10.70.0.1 attempts SSL with ciphers: 00ff,c024,c023,c00a,c009,c008,c028,c027,c014,c013,c012,c026,c025,c005,c004,c003,c02a,c029,c00f,c00e,c00d,006b,0067,0039,0033,0016,003d,003c,0035,002f,000a,c007,c011,c002,c00c,0005,0004,00af,00ae,008d,008c,008a,008b
: Client: 10.70.0.1 successfully negotiates DHE-RSA-AES256-SHA

These 4 character hex values directly correlate to RFC-based cipher strings:

 

http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

 

And as Jason does you're welcome to add all 300+ cipher strings and hex codes to a datagroup to get the literal string in the log. 😉

 

This doesn't specifically address your last requirement (logging a failed handshake and what cipher they tried), but that's a bit more complex and wanted to get this out first.