Forum Discussion
soymanue
Nimbostratus
NimbostratusLog SSL Cipher Version and User Agent Info
Hi
I need to log if there are connections using SSLv3 Cipher before disabling it.
I'm using this code:
when CLIENTSSL_HANDSHAKE {
ISTATS::incr "ltm.virtual [virtual name] c [SSL::cipher version]...
Kai_Wilke
MVP
MVPHi Manuel,
basically you can do two things...
Example 1: If using additional HTTP_REQUEST iRules
when CLIENTSSL_HANDSHAKE {
if { ( [SSL::cipher version] contains "SSL" ) or
( [SSL::cipher name] contains "DES" ) or
( [SSL::cipher name] contains "RC4" ) or
( [SSL::cipher bits] < 128 ) } then {
set invalid_ssl 1
} else {
set invalid_ssl 0
}
}
when HTTP_REQUEST {
if { $invalid_ssl } then {
log local0.debug "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"
HTTP::redirect http://www.domain.de/errorpage.html
TCP::close
}
}
Note: The above example would add a very little overhead for consecutive requests using the same TCP session.
Example 2: If NOT using additional HTTP_REQUEST iRules
when CLIENTSSL_HANDSHAKE {
if { ( [SSL::cipher version] contains "SSL" ) or
( [SSL::cipher name] contains "DES" ) or
( [SSL::cipher name] contains "RC4" ) or
( [SSL::cipher bits] < 128 ) } then {
set invalid_ssl 1
} else {
set invalid_ssl 0
}
}
when HTTP_REQUEST {
if { $invalid_ssl } then {
log local0.debug "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"
HTTP::redirect http://www.domain.de/errorpage.html
TCP::close
} else {
event HTTP_REQUEST disable
}
}
Note: The above example would disable further processing of
events for the current TCP connection. So it wouldn't add additional overhead for consecutive requests using the same TCP session.HTTP_REQUEST
Note: Integrate your ISTATS counters as needed... 😉
Cheers, Kai