Forum Discussion
Chris_FP
Cirrus
CirrusSSLv3 detection and redirect using Traffic Policies
I am looking at a way to to redirect any users that are using browsers that only support or allow the use of SSLv3 (i know, i know, nobody should but they still do...)
I could do this under an i...
nitass
Employee
Employeei think protocol is same as SSL::cipher version.
SSL::cipher
https://devcentral.f5.com/wiki/iRules.SSL__cipher.ashx configuration
[root@ve11b:Active:In Sync] config tmsh list ltm rule qux
ltm rule qux {
when CLIENTSSL_HANDSHAKE {
log local0. "\[SSL::cipher version\]: [SSL::cipher version]"
}
}
[root@ve11b:Active:In Sync] config tmsh list ltm policy cpm1
ltm policy cpm1 {
controls { forwarding }
requires { tcp http client-ssl }
rules {
rule1 {
actions {
0 {
log
write
message SSLv3
}
}
conditions {
0 {
client-ssl
protocol
values { SSLv3 }
}
}
ordinal 1
}
rule2 {
actions {
0 {
log
write
message TLSv1
}
}
conditions {
0 {
client-ssl
protocol
values { TLSv1 }
}
}
ordinal 2
}
}
strategy first-match
}
/var/log/ltm
[root@ve11b:Active:In Sync] config tail -f /var/log/ltm
Jun 10 22:44:12 ve11b info tmm1[10343]: Rule /Common/qux : [SSL::cipher version]: SSLv3
Jun 10 22:44:12 ve11b info tmm1[10343]: 016e0004:6: Policy log message [/Common/cpm1/rule1]: SSLv3
Jun 10 22:44:17 ve11b info tmm[10343]: Rule /Common/qux : [SSL::cipher version]: TLSv1
Jun 10 22:44:17 ve11b info tmm[10343]: 016e0004:6: Policy log message [/Common/cpm1/rule2]: TLSv1
