Forum Discussion

Cirrus

Feb 24, 2016

Redirect if less than TLSv1.2

Hello all, so we now have enforced all connections to a VIP for all of our websites TLSv1.2 only. as a result, we get calls from users not able to access websites and then we check IE setti...

Cirrocumulus

Feb 24, 2016

MJ you can use the SSL::cipher command to get the version of TLS negotiated.

See:

https://devcentral.f5.com/wiki/iRules.SSL__cipher.ashx

Here is an irule in the codeshare to redirect on weak ciphers you can use:

https://devcentral.f5.com/codeshare?sid=656

From that here's a quick example (non-tested):

  when HTTP_REQUEST {
    log local0. "[IP::remote_addr]: SSL cipher version is [SSL::cipher version]"
    if { [SSL::cipher version] < "TLS1.2" }{
      HTTP::respond 302 Location "http://www.example.com/error/sslerr.html" Cache-Control No-Cache Pragma No-Cache Connection Close
    }
 }

Note you'd need to allow these ciphers in the client SSL profile so the client can negotiate the SSL transaction.

Hope this helps,

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)