For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nickt9999_11997's avatar
nickt9999_11997
Icon for Nimbostratus rankNimbostratus
Oct 21, 2014

SSLv3 iRule reply with nice error

Hi All,

I am trying to write an iRule that will return a nice error message to the user if they attempt to use the SSLv3 protocol, however I don't know how to do the message part. Can some please help/provide guidance?

This is what I have at the moment:

when CLIENT_ACCEPTED {
  SSL::disable
  TCP::collect
}

when CLIENT_DATA {
  binary scan [TCP::payload] cS rtype sslver
  log local0. "SSL Record Type $rtype, Version: $sslver"

   BLOCK SSLV3
  if { $sslver <= 768 } {
     set SSLBlock 1
     Need to add message here
  } else {
     SSL::enable
     TCP::release
  }
}

Thanks in advance Nick

application delivery
devops
iRules

3 Replies

  • Amit_Karnik's avatar
    Amit_Karnik
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2014

    SSL is a lower level protocol, so the "nice error message" which you are referring to has to be at the application layer and it will depend on the application protocl in question.

     

    If (most typically) your application protocol is http then you could just use the CLIENTSSL_HANDSHAKE event to flag that the protocol version negotiated was SSLv3.

     

    Then in the HTTP_REQUEST event on the 1st incoming request you can dish out or redirect (to) a nice error message page.

     

    Note that this means that the SSLv3 should be enabled in your profile to let the handshake succeed.

     

  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Oct 21, 2014

    The only way you are going to be able to send a message to the client is to allow SSL to complete the handshake with SSLv3 and then send the message. Without the SSL layer completed, HTTP events are not going to be applicable.

    Based on this article https://devcentral.f5.com/wiki/iRules.RedirectOnWeakEncryption.ashx I worked up the following, which can probably be tightened up by making sure no backend resources are ever assigned and so on, but illistrates a basic example.

    when HTTP_REQUEST {
    if { [SSL::cipher version] eq "SSLv3" } {
        HTTP::respond 302 Location "http://weakencryption"
    }
}

    Tested using openssl s_client

    openssl s_client -connect 10.0.0.1:443 -ssl3
--- ssl handshake omitted ---
GET /
HTTP/1.0 302 Found
Location: http://weakencryption
Server: BigIP
Connection: close
Content-Length: 0

    and with tls

    openssl s_client -connect 10.0.0.1:443 -tls1
--- ssl handshake omitted ---
GET /
Hello World!
closed
  • nickt9999_11997's avatar
    nickt9999_11997
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2014

    Thanks for the replies, I have SSLv3 disabled in my client profile. from your replies it looks like I cant do what I wanted, which was to intercept SSLv3 requests before the handshake and redirect/reply.

     

    Cheers NIck