For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

A_Alkhuja_16976's avatar
A_Alkhuja_16976
Icon for Nimbostratus rankNimbostratus
Dec 16, 2018

iRule to return message when SSL handshake fail

Hi,   I need an iRule to return a message to the end-user after rejection (handshake will fail). I already put an SSL profile to use only TLSv1.2   Thnx  
application delivery
iRules
LTM
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Dec 16, 2018

How can you return a message to the client when the transport protocol negotiation has failed?

You need to accept the TLS connection, and then reply to the HTTP_REQUEST with your required response based on the

SSL::cipher version

command.

when HTTP_REQUEST {
  log local0. "Cipher version is [SSL::cipher version]"
  if {!([SSL::cipher version] eq "TLSv1.2")} {
    HTTP::respond 500 content "You need to upgrade your client to support TLSv1.2"
    TCP::close
  }
}

However - this will be detected by external scanners (like SSLLabs) as supporting and allowing versions of SSL/TLS below TLSv1.2, and your site rating will probably be an F.