iRule to return message when SSL handshake fail

Question

Hi,&nbsp;
I need an iRule to return a message to the end-user after rejection (handshake will fail).
I already put an SSL profile to use only TLSv1.2&nbsp;
Thnx&nbsp;

a_alkhuja_16976 · Answer

the log message when the user gets a reject:&nbsp;
Connection error: ssl_hs_rxhello:8519: unsupported version (70)&nbsp;

simon_blakely · Answer

How can you return a message to the client when the transport protocol negotiation has failed?
You need to accept the TLS connection, and then reply to the HTTP_REQUEST with your required response based on the

SSL::cipher version

command.
when HTTP_REQUEST {
  log local0. "Cipher version is [SSL::cipher version]"
  if {!([SSL::cipher version] eq "TLSv1.2")} {
    HTTP::respond 500 content "You need to upgrade your client to support TLSv1.2"
    TCP::close
  }
}

However - this will be detected by external scanners (like SSLLabs) as supporting and allowing versions of SSL/TLS below TLSv1.2, and your site rating will probably be an F.

Forum Discussion

iRule to return message when SSL handshake fail

Recent Discussions

How to export a list of paired external service providers from APM?

How to Renew F5 Device Certificate

BIG IP LTM - Multiple application on single VIP with multiple ports allowed.

Service discovery is not happening in AS3

Statistics ›› Analytics : HTTP : Overview

Related Content

Load Balancing TCP TLS Encrypted Syslog Messages

The return of DevCentral CodeShare.

SSL Profiles Part 1: Handshakes

Performance optimalization of message based load balancing.

TCP Internals: 3-way Handshake and Sequence Numbers Explained

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS