Forum Discussion
Cindy_127211
Nimbostratus
NimbostratusRule Reading SSLCipher Not working
Sorry for the really long post....I have been struggling with this for awhile now and would really appreciate any assistance!
I have created a rule for processing SSL version and encryption level information in Version 9, based on a similar rule in version 4.5. However, it doesn't work as I would expected.
Following is how this rule works:
(1) I have a SSLClientCipher Rule, as follows:
rule SSLClientCipher {
when HTTP_REQUEST {
HTTP::header insert "SSLClientCipher: [SSL::cipher name], version=[SSL::cipher version], bits=[SSL::cipher bits]"
}
}
(2) This rule is set for the Virtual Server Proxy, which also runs the following SSL_Processing rule below (after the SSL Cipher header is set).
(3) This SSL Processing rule is not working as expected. I'm wondering if it could be the two matchclass statements that are 'and' together. The first part of the matchclass statement is matches if the SSLVersion_Class does not equal Version 2, the second part of the matchclass statement is supposed to be true if the SSL Version is greater than 128 bits. If both statements aren't 'true' then the user is supposed to be redirected to a page that tells them they should upgrade their browser.
***This works perfectly in 4.5...but, somehow I am not getting this setup correct for Version 9.X. At the bottom of this email is the Version 4.5 version of the same rule.*****
Version 9 rule for SSL Encryption Level processing:
rule SSL_Processing {
when HTTP_REQUEST {
if {[HTTP::header SSLClientCipher]}
{
if {![ matchclass [HTTP::header SSLClientCipher] contains $::SSLVersion_Class ] and [ matchclass [HTTP::header SSLClientCipher] contains $::Encrypt_Class ] }
{ pool acs80sbox }
else {
if { [HTTP::uri] starts_with "/encryptcode/" }
{ pool acs80sbox }
else { HTTP::redirect "https://www.ac.com/encryptcode/encryption_notice.jsp"}
}
else { HTTP::redirect "https://www.ac.com/encryptcode/encryption_notice.jsp"}
}
}
Version 4.5 rule for SSL Encryption Level processing:
rule SSL_Processing {
if (exists http_header("SSLClientCipher"))
{
if (not (http_header("SSLClientCipher") contains one of SSLVersion_Class) and http_header("SSLClientCipher") contains one of Encrypt_Class)
{ use pool acs80 }
else {
if (http_uri starts_with "/encryptcode/") {
use pool acs80
}
else {
redirect to "https://www.americancentury.com" + /encryptcode/encryption_notice.jsp" }
}
}
else {
redirect to "https://www.americancentury.com" + "/encryptcode/encryption_notice.jsp"
}
}
- I think it's simply a matter of logical grouping. In 4.x, we made the precedence of the "not" operator lower than the "and" operator. In 9.x, since we are based on Tcl, we inherited the precedence orders of Tcl. The "not" (or !) operator is now higher precendence than the logical operators. So, logically, that result of that if expression will be true when the cipher is not in the version class and does contain the proper bits.
Try adding parenthesis around the two matchclass commands like so:if { ! ( [matchclass [HTTP::header SSLClientCipher] contains $::SSLVersion_Class] and [matchclass [HTTP::header SSLClientCipher] contains $::Encrypt_Class] ) } {
Also, you can add some log commands to confirm whether or not your logic is going where you expect. 
Cindy_127211Thank you for your quick response. I did try the parenthesis and that seemed to help...although, I think, I am conerned about having 'NOT' for both of the matchclasses be the true condition now...versus just a NOT for the first statment. But, I'll be able to test that further once I get by the next problem.
When I started logging the data from the 'rule' I found that the SSLClientCipher header is only returning
RC4-MD5,
versus the entire string. When I print this out via the log statement I am doing the following:
log "Matchclass True: [HTTP::header SSLClientCipher]"
Now I'm wondering whether the rule to set this is really working as expected since the SSLClientCipher string should be much longer based on what I was being returned in 4.5.- I see the problem now. It has to do with the way you have specified the header insert command. When you only use one argument, the command assumes there might be multiple headers you are inserting as a list.
Try using this form instead:
Notice that I broke the header name and the value into separate arguments. This will better identify what the header name is and what the header value is.HTTP::header insert "SSLClientCipher" "[SSL::cipher name], version=[SSL::cipher version], bits=[SSL::cipher bits]"
