Forum Discussion

nathe's avatar
nathe
Icon for Cirrocumulus rankCirrocumulus
Nov 17, 2009

SSL redirect iRule

Afternoon,

 

 

We have a Big-IP ASM appliance (v9.4.4) in front of our Corporate internet site. We need to restrict customers from connecting with less than 128 bit encryption and hope to redirect to an informational page outlining how to upgrade their browser, for example.

 

 

If I add the iRule as per the "Devcentral Wiki: Redirect on Weak Encryption" when I access the https page I get redirected to the URL mentioned in the iRule (which I've changed accordingly). So this works fine.

 

 

However, if on the SSL Client profile I then change the Ciphers to DEFAULT:!ADH:!EXPORT40:!EXP:!LOW to block non 128 bit connections then I get "page cannot be displayed" rather than the redirected URL.

 

 

Can both the iRule and the custom Cipher work in tandem?

 

 

Thanks in advance.

 

Nathan
application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 17, 2009
    Hi Nathan,

     

     

    With the client SSL profile set to not allow the 128bit cipher, LTM will send a reset to a client who attempts to use a 128 bit cipher. This will happen regardless of whether the iRule is enabled or not.

     

     

    The iRule is a better option as it tells the client that there is a problem and how to fix it. The only downside to the iRule option is that vulnerability scans will show a false positive for weak ciphers. It's safe to ignore this as no client with a weak cipher will be able to get past LTM.

     

     

    Aaron
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Nov 18, 2009
    Thanks Aaron,

     

     

    You're spot on with the reasonings behind why we are doing this - an external vulnerability test highglighted the issue. I was at first only intending to add a custom cipher to the ssl profile, it was only later did I find the iRule to redirect.

     

     

    I am leaning towards remediating the vulnerability threat but that does mean we lose the redirect. Can you think of any other way we could do this via F5?

     

     

    Thanks in advance,

     

     

    Nathan

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 18, 2009
    Hi Nathan,

     

     

    In order to send the redirect, you have to allow the weak cipher in the client SSL profile. It's not actually a vulnerability though as you're not allowing a client with a weak cipher to connect to anything beyond the LTM. It will still show up as an issue in a pen test, but it's not a true problem.

     

     

    Aaron