Forum Discussion
NimbostratusSSL error redirect
We are diabling SSLv3 in the options list profile. I need to add an entry to my current iRule to redirect clients to a help page is the connection fails a SSL cert. Obviously if the SSL termination fails the rule doesnt run, or does it? Eighter way how can I trigger on the SSL error and redirect clients and where would I place it wothon the iRule? here is haw I have but is not triggering...currently I just get the standard Page Cant Be Displayed.Below is my iRule. ! when HTTP_RESPONSE { if { [HTTP::status] contains "SSL error"} { log local0. "Detecting SSL Error" HTTP::redirect "https://www.MySite.com/_default.htm" } }
3 Replies
mimlo_61970Cumulonimbus
If you disable SSLv3 in the profile, anyone trying to negotiate SSLv3 will never make it to your when HTTP_RESPONSE event.
You might be able to do something in the CLIENTSSL_HELLO event, but I am not entirely sure. You could always allow SSLv3 in the SSL profile, and then redirect when it is in use. I found the following in the comments at https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip, seems like it should work.
when HTTP_REQUEST { if { [SSL::cipher version] eq "SSLv3" } { HTTP::respond 302 Location "http://errorURL" noserver } }
Gill_32697True, we did disable SSLv3, but do have TLS, the IE Broswer has an issue and you need to make some properties settings. The clients are getting Page can't be displayed, Firefox, Chrome and Safari work fine.
- Gill_32697Anyone have any ideas on how to make this iRule work? i'd appreciate any help.
