For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nathe's avatar
nathe
Icon for Cirrocumulus rankCirrocumulus
Nov 17, 2009

SSL redirect iRule

Afternoon,     We have a Big-IP ASM appliance (v9.4.4) in front of our Corporate internet site. We need to restrict customers from connecting with less than 128 bit encryption and hope to r...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Nov 17, 2009
Hi Nathan,

 

 

With the client SSL profile set to not allow the 128bit cipher, LTM will send a reset to a client who attempts to use a 128 bit cipher. This will happen regardless of whether the iRule is enabled or not.

 

 

The iRule is a better option as it tells the client that there is a problem and how to fix it. The only downside to the iRule option is that vulnerability scans will show a false positive for weak ciphers. It's safe to ignore this as no client with a weak cipher will be able to get past LTM.

 

 

Aaron