For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nickt9999_11997's avatar
nickt9999_11997
Icon for Nimbostratus rankNimbostratus
Oct 21, 2014

SSLv3 iRule reply with nice error

Hi All, I am trying to write an iRule that will return a nice error message to the user if they attempt to use the SSLv3 protocol, however I don't know how to do the message part. Can some please ...
application delivery
devops
iRules
mimlo_61970's avatar
mimlo_61970
Icon for Cumulonimbus rankCumulonimbus
Oct 21, 2014

The only way you are going to be able to send a message to the client is to allow SSL to complete the handshake with SSLv3 and then send the message. Without the SSL layer completed, HTTP events are not going to be applicable.

Based on this article https://devcentral.f5.com/wiki/iRules.RedirectOnWeakEncryption.ashx I worked up the following, which can probably be tightened up by making sure no backend resources are ever assigned and so on, but illistrates a basic example.

when HTTP_REQUEST {
    if { [SSL::cipher version] eq "SSLv3" } {
        HTTP::respond 302 Location "http://weakencryption"
    }
}

Tested using openssl s_client

openssl s_client -connect 10.0.0.1:443 -ssl3
--- ssl handshake omitted ---
GET /
HTTP/1.0 302 Found
Location: http://weakencryption
Server: BigIP
Connection: close
Content-Length: 0

and with tls

openssl s_client -connect 10.0.0.1:443 -tls1
--- ssl handshake omitted ---
GET /
Hello World!
closed