Forum Discussion
Nimbostratusredirect to ifile page if TLS 1 or 1.1 is used
Hello,
Kindly note that the following irule was applied on VS but its not working properly :
when HTTP_REQUEST { if { [SSL::cipher version] eq "TLSv1" } { HTTP::respond 503 content [ifile get maintenance] } }
As per the below ifile exists and verified on cli : As well on firefox im forning to use TLS v1
[root@f5-IB-1:Active:In Sync] config tmsh list sys file ifile sys file ifile maintenance { checksum SHA1:714:28de1ccd8407b517163fdcdc352ae847f46df53c create-time 2018-01-09:10:07:18 created-by admin last-update-time 2018-01-09:10:07:18 mode 33188 revision 1 size 714 updated-by admin
Jad_Tabbara__J1Cirrostratus
Hello Abouleil,
Try the following code
when HTTP_REQUEST { if { [SSL::cipher version] eq "TLSv1" || [SSL::cipher version] eq "TLSv1.1"} { HTTP::respond 503 content [ifile get "/Common/maintenance"] } }Verify that your ifile is under the "Common" partition or replace "Common" by your partition name.
Regards
Andy_McGrathCumulonimbus
Think you will need to create an LTM iFile object as well, the sys file ifile is used to import the file into iFile but reference for use is through ltm
The following on TMSH should create the iFile for reference within an iRule:
create ltm ifile maintenance file-name maintenanceOr on the Web GUI:
- On the Main tab, click Local Traffic > iRules > iFile List.
- Click Create.
- In the Name field, type a new name for the iFile, such as ifileURL.
- From the File Name list, select the name of the imported file object, such as 1k.html.
- Click Finished. The new iFile appears in the list of iFiles.
aboulleill_3013I'm still getting default browser SSL error below; its still not redirecting to customized ifile html page
Secure Connection Failed An error occurred during a connection to 192.168.110.115. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.Learn more…
Report errors like this to help Mozilla identify and block malicious sites
It looks like your network security settings might be causing this. Do you want the default settings to be restored?
- Andy_McGrath
Looks like getting SSL issue, likely not having a compatible cipher suite between the F5 configuration and the browser.
If you take the iRule off the Virtual Server does this work? If not i would get this working first with the desired cipher suite and SSL/TLS protocols.
With this is mind are you able to provide you SSL Profile configuration (excluding the cert and key info)?
youssef1Hello
Find below an optimise Irule:
when HTTP_REQUEST { switch -glob [SSL::cipher version] { "TLSv1.*" { HTTP::respond 503 content [ifile get maintenance] "Content-Type" "text/html" } default { do nothing } }I thing you juste forgot to reference your Ifile in LTM. Go to Local Traffic, Irules then "Ifile list" then create your Ifile reference with maintenance name...
Regards,
- aboulleill_3013
still not working :(
- youssef1
Hello,
Did you check the output logs? during your test... /var/log/ltm
You can add log in your irule: log local0. "cipher version: [SSL::cipher version]"
Regards,
- aboulleill_3013
Dear Youssef,
yes this what the logs are showing and its normal but seems the irule is not working.
Jan 9 11:49:55 f5-IB-1 info tmm3[20682]: 01260013:6: SSL Handshake failed for TCP 172.16.37.16%10:6368 -> 192.168.110.115%10:443 Jan 9 11:50:00 f5-IB-1 warning tmm3[20682]: 01260009:4: Connection error: ssl_hs_rxhello:7443: unsupported version (70) Jan 9 11:50:00 f5-IB-1 info tmm3[20682]: 01260013:6: SSL Handshake failed for TCP 172.16.37.16%10:6396 -> 192.168.110.115%10:443 Jan 9 11:50:05 f5-IB-1 warning tmm1[20682]: 01260009:4: Connection error: ssl_hs_rxhello:7443: unsupported version (70) Jan 9 11:50:05 f5-IB-1 info tmm1[20682]: 01260013:6: SSL Handshake failed for TCP 172.16.37.16%10:6405 -> 192.168.110.115%10:443
- youssef1
Hi Aboulleill,
I think that your problem is not due to the Irule. You are blocked before Irule execution. It seems that your ssl handshake failed because you use an unsupported version (Protocol).
Can you confirm me that you don't set cert auth in you ssl client profil? What you set in "Ciphers" options in your client ssl profil?
And did you test access to your VS with another browser?
regars,