F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Gill_32697's avatar
Gill_32697
Icon for Nimbostratus rankNimbostratus
Oct 20, 2014

SSL error redirect

We are diabling SSLv3 in the options list profile. I need to add an entry to my current iRule to redirect clients to a help page is the connection fails a SSL cert. Obviously if the SSL termination f...
mimlo_61970's avatar
mimlo_61970
Icon for Cumulonimbus rankCumulonimbus
Oct 20, 2014

If you disable SSLv3 in the profile, anyone trying to negotiate SSLv3 will never make it to your when HTTP_RESPONSE event.

You might be able to do something in the CLIENTSSL_HELLO event, but I am not entirely sure. You could always allow SSLv3 in the SSL profile, and then redirect when it is in use. I found the following in the comments at https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip, seems like it should work.

when HTTP_REQUEST { 
    if { [SSL::cipher version] eq "SSLv3" } {
        HTTP::respond 302 Location "http://errorURL" noserver 
    } 
}
Gill_32697's avatar
Gill_32697
Icon for Nimbostratus rankNimbostratus
Oct 20, 2014
True, we did disable SSLv3, but do have TLS, the IE Broswer has an issue and you need to make some properties settings. The clients are getting Page can't be displayed, Firefox, Chrome and Safari work fine.