Forum Discussion
NimbostratusSSLv3 cipher negotiation log
Is it possible to log in an irule if a browser tries to negotiate to a specific cipher?
I have the following irule but this doesn't tell me if a browser tried a disabled cipher before it negotiated an allowed one:
when HTTP_REQUEST {
Check if the client used an SSL cipher if {not ([catch {SSL::cipher version} result]) && [string tolower $result] ne "none"}{ set Name [SSL::cipher name] log local0. "Cipher Version is $result and Cipher Name is $Name" } }
any advice? cheers
7 Replies
Arnaud_LemaireEmployee
HTTP_REQUEST is too late in the process, SSL and TCP session already established, try having a look to CLIENT_SSLHELLO event which happens when you received ssl initiation from client, where you maybe able to parse for interesting informations.
https://devcentral.f5.com/wiki/iRules.CLIENTSSL_CLIENTHELLO.ashx
YozzerI would like to see if ciphers with cbc are being attempted. I didnt see anything specific for this in clientssl_clienthello.
Thanks
- nitass
there is request for enhancement which is implemented in the next version release.
ID468803 RFE - iRule command to return SSL ciphersuites presented in Client Hello
for now, if you want, you have to manually parse ssl message.
- Yozzer
Thanks, Which specific SSL commands should i use? I dont think the cipher suite is in the list of extensions.
Cheers
- nitassi understand it is going to be a new command (i.e. new parameter to existing command).
- Yozzer
Thanks, so i cant manually parse the ssl message until this command is included?
Cheers
- nitassyou can manually parse ssl message without the command (i.e. collect tcp payload and parse it). the command would make it much easier.
