Forum Discussion
Chris_FP
Cirrus
CirrusSSLv3 detection and redirect using Traffic Policies
I am looking at a way to to redirect any users that are using browsers that only support or allow the use of SSLv3 (i know, i know, nobody should but they still do...)
I could do this under an iRule but the site it will be used on is already heavily using iRules and has a lot of users and traffic coming in and I was looking at doing this via a Traffic Policy.
Problem is that the F5 website isn't very forthcoming with help on what I should check for under operand of client-ssl and what parameter I should be checking for under protocol to force a redirect to a pool explaining that they should really be using a better browser.
Any help on this would be appreciated.
1 Reply
- nitass
Employee
i think protocol is same as SSL::cipher version.
SSL::cipher
https://devcentral.f5.com/wiki/iRules.SSL__cipher.ashxconfiguration [root@ve11b:Active:In Sync] config tmsh list ltm rule qux ltm rule qux { when CLIENTSSL_HANDSHAKE { log local0. "\[SSL::cipher version\]: [SSL::cipher version]" } } [root@ve11b:Active:In Sync] config tmsh list ltm policy cpm1 ltm policy cpm1 { controls { forwarding } requires { tcp http client-ssl } rules { rule1 { actions { 0 { log write message SSLv3 } } conditions { 0 { client-ssl protocol values { SSLv3 } } } ordinal 1 } rule2 { actions { 0 { log write message TLSv1 } } conditions { 0 { client-ssl protocol values { TLSv1 } } } ordinal 2 } } strategy first-match } /var/log/ltm [root@ve11b:Active:In Sync] config tail -f /var/log/ltm Jun 10 22:44:12 ve11b info tmm1[10343]: Rule /Common/qux : [SSL::cipher version]: SSLv3 Jun 10 22:44:12 ve11b info tmm1[10343]: 016e0004:6: Policy log message [/Common/cpm1/rule1]: SSLv3 Jun 10 22:44:17 ve11b info tmm[10343]: Rule /Common/qux : [SSL::cipher version]: TLSv1 Jun 10 22:44:17 ve11b info tmm[10343]: 016e0004:6: Policy log message [/Common/cpm1/rule2]: TLSv1
