Forum Discussion

Cirrus

Feb 24, 2016

Redirect if less than TLSv1.2

Hello all, so we now have enforced all connections to a VIP for all of our websites TLSv1.2 only. as a result, we get calls from users not able to access websites and then we check IE setti...

MVP

Feb 25, 2016

Hi Almassud,

this snipped should work and provides some compliance check results to the errorpage...

when CLIENTSSL_HANDSHAKE {
    if { [SSL::cipher version] equals "TLSv1.2" } then {
        set deny_reason ""
    } else {
        set deny_reason [URI::encode [b64encode "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits]"]]
    }
}
when HTTP_REQUEST {
    if { $deny_reason ne "" } then {
        HTTP::redirect "http://www.domain.de/errorpage.html?reason=$deny_reason
        TCP::close
        event disable all
        return
    }
}

Note: Keep in mind that you have to allow the legacy SSL/TLS version in your Clientside SSL Profile. The security check is then performed in the outlined iRule.

Cheers, Kai

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)