Forum Discussion
TMcGov_92811
Nimbostratus
NimbostratusiRule to log SSL failures due to weak encryption
I have implemented the following Ciper in an SSL profile per F5 support to prevent SSLv2 or weak encryption schemes from connecting.
ALL:!NULL:!ADH:!LOW:!EXP:RC4+RSA:!SSLv2:+HIGH:+MEDIUM
I am trying to develop an iRule to log every connection that is blocked by this SSL profile. The standard one below does not log everything, only encryption schemes using less than 128 bits. What do I need to add to this in order to match the Cipher above so I can actually see who is getting blocked and for exactly which reason ?
when HTTP_REQUEST {
check for at least 128 bits of encryption
if { [SSL::cipher bits] < 128 }{
when browser cannot do at least 128 bits of encryption log client details
log local0. "Client IP:port: [IP::client_addr]:[TCP::client_port], Host/URI [HTTP::host][HTTP::uri],\
User-Agent: [HTTP::header User-Agent], Auth header: [HTTP::header Authorization], cipher bits: [SSL::cipher bits]"
}
}
- dennypayne
Employee
If it's getting blocked by the profile, it will never get to the iRule at all. I did a similar rule where the customer wanted to redirect anybody less than 128 bit and not using SSLv3 or TLS to a "Please upgrade your browser" page, and I had to let the profile allow ALL because the iRule won't do anything until the decryption is done.
Denny 
hoolioCirrostratus
To add to Denny's suggestion, you could set no restrictions on the client SSL profile, but then check the cipher bits and/or name in an iRule in HTTP_REQUEST. If the client's SSL spec is too low, you could send back a response or redirect. Here are a couple of related posts:
HTTPS Redirects (Click here)
Identify Client Cipher Strength (Click here)
Aaron- TMcGov_92811Thanks guys - good stuff.
