Forum Discussion

Nimbostratus

Aug 10, 2017

iRule when TLS below 1.2 match datagroup

Hello All, Im looking for some assistance on an iRule. Looking to have VS listen on SSLv3 - TLS1.2 (Client Profile). If client connection is eq TLS1.2 pass to back end pool. If < TLS...

Cirrostratus

Aug 10, 2017

Hi Marin,

Please find here after an example of the irule that you can use to do that.

To use this irule you need to create 2 data groups :

First one is string type called "dg_allowed_ciphers" with following records "SSLv3", "TLSv1" and "TLSv1.1" (keep the same format when adding it to your data group)

Second one is address type called "dg_allowed_sourceIPs" that contains allowed IP addresses

when HTTP_REQUEST {
if { [SSL::cipher version] eq "TLSv1.2" } {             Do nothing if TLSv1.2
} elseif { ([class match [SSL::cipher version] eq "dg_allowed_ciphers"]) && ([class match [IP::client_addr] equals "dg_allowed_sourceIPs" ]) } {
     Do nothing if both conditions are met
} else {
     Redirect to a sorry page or reject client connections
    reject
}
}

If you are using a partition other than the "Common" partition, you will need to specify the partition name before calling the data-group name from the irule.

Example: "/Partition_name/dg_allowed_ciphers"

Hope it helps

Regards

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)