Forum Discussion
CirrostratusPoodle Mitigation but can't disable SSLv3
Reading some of the recent articles it appears the recommendation is to force RC4 for all SSLv3 connections. Have any of you encountered any client issues doing so? Also wondering if anyone is using an irule along the lines of sending known client IP ranges that require SSLv3 to an SSLv3 enabled profile, then sending all other clients to an SSLv3 disabled profile. I appreciate any input.
Thanks, Chris
3 Replies
- JRahm
Admin
you could use the SSL::cipher version command with a default ssl version of v3, and if client is IP $x all is ok, and if not, renegotiate and force a different ssl profile. Ideas around this can be gathered in this thread.
Christopher_BooFor anyone interested, I'm using the irule below. The SSLv3 enabled profile only allows SSLv3 with RC4. The other profile has SSLv3 disabled.
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals "sslv3_allowed"] } { SSL::profile sslv3_enabled } else { SSL::profile sslv3_disabled } } when HTTP_REQUEST { SSL::renegotiate }- JRahmnice work!
