Forum Discussion
Cindy_127211
Nimbostratus
NimbostratusSSLClientCipher for SSLV2 not working
I have a problem open with F5 Support on a rule problem trying to decipher SSLV2 out of the SSLClientCipher header, but they indicated that I would have to go to you all for support because they believe that the V9.X rules structure does not support SSLv2.
My rule is 'simply' printing out the SSL Version information after inserting it. I test SSL versions by enabling specific versions from the Internet Explorer -> Tools -> Internet Options -> Advanced tab.
rule SSLClientCipher {
when HTTP_REQUEST {
HTTP::header insert "SSLClientCipher" "[SSL::cipher name], version=[SSL::cipher versi
on], bits=[SSL::cipher bits]"
log local0. "SSLClientCipher [HTTP::header SSLClientCipher]"
}
}
The rule works fine when using SSLV3 and prints out the following in the 'ltm' log and displays the page as expected:
Oct 26 13:55:57 tmm tmm[21321]: Rule SSLClientCipher : SSLClientCipher RC4-MD5, version=TLSv1, bits=128
However, when I enable 'only' SSLV2, this is what I get in the 'ltm' log and the web page fails to load:
Oct 26 13:54:37 tmm tmm[21321]: 01220001:3: TCL error: Rule SSLClientCipher - Error: SSL Not found (line 1) invoked from within "SSL::cipher name"
1 Reply
- Cindy,
There are options within the BIG-IP configs to disable the use of certain Ciphers. I know that in our documentation we recommend disabling SSLv2 altogether if you're concerned about security.
Have you checked to ensure SSLv2 connections are allowed through your BIG-IP at all?
I'm just trying to narrow down whether this is an issue in the rule, or in general.
Thanks,
-Colin
