Forum Discussion
Maurice_G_
Employee
Employeerequire SSLv3 based on URI
I want to apply an iRule to a virtual server such that if the URI contains a certain string the SSLv2 cipher cannot be used.
How can I do this?
5 Replies
- Unfortunately, since you'd have to decrypt the HTTP request to even see the URI that's being requested, you wouldn't be able to enforce a cipher choice based on URI, as the information would already be in plaintext by the time you'd have enough information to make this decision.
Colin - SSL exposes a rule 'SSL::profile ' that allows you to select a particular SSL profile via the rules. You could try setting the profile to the restrictive one and call SSL::renogotiate. I have not tested to see if this works so you will have to try this out on your own.
Alternatively you could just redirect the client to a VIP with the correct profile. 
Maurice_G_Thanks. I have an iRule associated with my VIP:80 which based on the URI selects a VIP:443 which has a profile which forbids SSLv2.
Thanks again
Al_Carandang_11Nimbostratus
I have an SSL profile which accepts even weak ciphers.
Then I use an iRule to examine the encryption used and either let the request through if it is strong enough or just displays a page which lets the user know that a stronger cipher is needed to access the URL.- Al_Carandang_11Yes this does work. You just need to apply an SSL profile which will accept ciphers < 128 bits long.
-Al
