Forum Discussion
soymanue
Nimbostratus
NimbostratusLog SSL Cipher Version and User Agent Info
Hi
I need to log if there are connections using SSLv3 Cipher before disabling it.
I'm using this code:
when CLIENTSSL_HANDSHAKE {
ISTATS::incr "ltm.virtual [virtual name] c [SSL::cipher version]" 1
}
if { ( [SSL::cipher version] contains "SSL" ) or ( [SSL::cipher name] contains "RC4" ) or ( [SSL::cipher bits] < 128 ) } then {
set invalid_ssl 1
} else {
set invalid_ssl 0
}
}
That way I get the usage of the different Cipher versions but there isn't any information about OS or Browser.That info is in [HTTP::header User-Agent] but can't be used inside CLIENTSSL_HANDSHAKE. It could be done in HTTP_REQUEST but it would be executed serveral times for the same session and the stats wouldn't be reliable How could I log the Cipher Version and User-Agent data just once for each session? Thanks
- Kai_Wilke
MVP
Hi Manuel,
basically you can do two things...
Example 1: If using additional HTTP_REQUEST iRules
when CLIENTSSL_HANDSHAKE { if { ( [SSL::cipher version] contains "SSL" ) or ( [SSL::cipher name] contains "DES" ) or ( [SSL::cipher name] contains "RC4" ) or ( [SSL::cipher bits] < 128 ) } then { set invalid_ssl 1 } else { set invalid_ssl 0 } } when HTTP_REQUEST { if { $invalid_ssl } then { log local0.debug "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]" HTTP::redirect http://www.domain.de/errorpage.html TCP::close } }Note: The above example would add a very little overhead for consecutive requests using the same TCP session.
Example 2: If NOT using additional HTTP_REQUEST iRules
when CLIENTSSL_HANDSHAKE { if { ( [SSL::cipher version] contains "SSL" ) or ( [SSL::cipher name] contains "DES" ) or ( [SSL::cipher name] contains "RC4" ) or ( [SSL::cipher bits] < 128 ) } then { set invalid_ssl 1 } else { set invalid_ssl 0 } } when HTTP_REQUEST { if { $invalid_ssl } then { log local0.debug "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]" HTTP::redirect http://www.domain.de/errorpage.html TCP::close } else { event HTTP_REQUEST disable } }Note: The above example would disable further processing of
events for the current TCP connection. So it wouldn't add additional overhead for consecutive requests using the same TCP session.HTTP_REQUESTNote: Integrate your ISTATS counters as needed... 😉
Cheers, Kai
soymanueHello
Thanks for your answer. Unfortunately I can't redirect to an error page. The service must be available even if you connect with SSLv3 for a while, until we have the stats.
So I need to log just once per connection:
log local0.debug "SSLv3 cipher connection for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"
And let the connection work.
I have another event with HTTP_REQUEST to detect if the client uses client certificate authentication. Therefore, I can't disable HTTP_REQUEST event
Regards
- Kai_Wilke
Ah okay... its just for logging. Then try this... 😉
when CLIENTSSL_HANDSHAKE { if { ( [SSL::cipher version] contains "SSL" ) or ( [SSL::cipher name] contains "DES" ) or ( [SSL::cipher name] contains "RC4" ) or ( [SSL::cipher bits] < 128 ) } then { set invalid_ssl 1 } else { set invalid_ssl 0 } } when HTTP_REQUEST { if { $invalid_ssl } then { log local0.debug "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]" set invalid_ssl 0 } }Note: The outlined iRule would now
(or possibly[log]
) just once per SSL connection.[ISTATS]Cheers, Kai
