Forum Discussion
Switch ssl profile based on weak cipher detection via IRULE
Hi Team,
I am looking to create an IRULE to switch ssl profile, if weak cipher detected on tls1.2connection
I have created below script but it not accepting on f5 and giving error. Please help me correct below IRULE.
IRULE:-
when CLIENTSSL_HANDSHAKE {
set hsl [HSL::open -proto UDP -pool POOL-SPLUNK-SYSLOG]
# List of ciphers to log
set log_ciphers {
"AES256-GCM-SHA384"
"AES128-GCM-SHA256"
"ECDHE-RSA-AES256-CBC-SHA"
"ECDHE-RSA-AES128-SHA256"
"AES256-SHA"
"AES128-SHA"
"AES128-SHA256"
"ECDHE-RSA-AES256-SHA384"
}
# Get the negotiated cipher
set negotiated_cipher [SSL::cipher name]
# Apply profile based on TLSv2
if { [string match "*TLS1.2*" $negotiated_cipher] } {
SSL::profile weak_cipher_profile
} else {
SSL::profile strong_cipher_profile
}
# Log details for specific ciphers
if { [lsearch -exact $log_ciphers $negotiated_cipher] != -1 } {
HSL::send $hsl "<190>, Cipher Matched: $negotiated_cipher, ClientIP:[IP::client_addr], F5 Vip:[IP::local_addr], Destination Port:[TCP::local_port]"
}
}
- aliasgar215
Nimbostratus
I get below error when i try to apply this IRULE
command is not valid in current event context (CLIENTSSL_HANDSHAKE)][SSL::profile - zamroni777
Nacreous
CLIENTSSL_HANDSHAKE is Triggered when a client-side SSL handshake is completed.
you need to use "when CLIENT_DATA" as explained in
https://clouddocs.f5.com/api/irules/CLIENTSSL_CLIENTHELLO.html- aliasgar215
Nimbostratus
Please help me with the corrected IRULE
- zamroni777
Nacreous
you might not need irules.
the cipher that will be used is selected by tls server and based on order f5 client side ssl profile.
so you just need to 1 cipher list with strong ciphers for new clients and weak ciphers for old clients and properly arrange them from strongest to weakest.- aliasgar215
Nimbostratus
I agree that keeping strong and weak cipher together will get us the same result. But i dont want to disturb the main SSL client profile. So i am looking for a IRULE solution, which can be removed without disturbing any main configuration.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com