Forum Discussion
NimbostratusTrying to use iRule/s to redirect SSLv3 and while allowing other IP using SSLv3
as part of the poodle migration I have used the following to redirect bad browsers
when HTTP_REQUEST { if { [SSL::cipher version] eq "SSLv3" } { HTTP::respond 302 Location "http://corp.com/browservalidator-SSLv3" } }
I also have a couple of VSs that need to be accessed by remote system accounts and I have used an iRule to allow these hosts
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals "QC68347-SSLv3_allow_DGL"] } { SSL::profile QC68347-SSLv3-gateway.corp.com }
}
The default SSL client profile has SSLv3 turned off, but the QC68347-SSLv3-gateway.corp.com SSL Client Profile allows it and the QC68347-SSLv3_allow_DGL Data Group list contains the allowed IPs.
I now have the need to allow a single IP to access a resourse via SSLv3, but block all other SSLv3 traffic. I tried to use both of these iRules on the same VS. I had assumed that since the CLIENT_ACCEPTED event occurred first that the sessions from the allowed IPs would redirect to a SSL client profile and connect to the pool while non allowed SSLv3 sessions would fire on CLIENT_ACCEPTED and redirect. I have been unsuccessful at getting both iRules to work together. Is there an easier way of doing this?
2 Replies
StephanMantheyNacreous
Hi Dave, here is a tested iRule to permit SSLv3 for specified clients:
priority 100 when RULE_INIT { Enable/disable debugging set static::debug_rule_ssl_test 1 } when CLIENTSSL_HANDSHAKE { Log client-ssl handshake parameters if { $static::debug_rule_ssl_test > 1 } { log local0. "client-ssl <[IP::client_addr]> > <[IP::local_addr]:[TCP::local_port]> (<[SSL::cipher name]>:<[SSL::cipher version]>:<[SSL::cipher bits]>)" } if {([SSL::cipher version] equals "SSLv3") && ! ([class match [IP::client_addr] equals datagroup_sslv3_client_whitelist ])} { if { $static::debug_rule_ssl_test > 0 } { log local0. "client-ssl <[IP::client_addr]> > <[IP::local_addr]:[TCP::local_port]> (<[SSL::cipher name]>:<[SSL::cipher version]>:<[SSL::cipher bits]>)" } drop } }Please make sure to have a datagroup (type "IP address") containing permitted client IP addresses or networks.
Your client-ssl profile needs to allow SSLv3. Otherwise the condition will never tested. Please be aware, that with v11.5.1 later hotfixes the SSLv3 is disabled by default and has to be enabled via including it into the SSL ciper string settings. Thanks, Stephan- StephanManthey
As mentioned above, it will be necessary to enable SSLv3 explicitely if you are running recently published hotfixes. You can check the result of modified SSL cipher strings by using a CLI untility as described below:
tmm --clientcipher 'DEFAULT:SSLv3' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 3: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 4: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 5: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 8: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 9: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 12: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 13: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 14: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 15: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA 16: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 17: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 18: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 19: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 20: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 21: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 22: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 23: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 24: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 25: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 26: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 27: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA 28: 57 DHE-RSA-AES256-SHA 256 SSL3 Native AES SHA EDH/RSA 29: 56 DHE-DSS-AES256-SHA 256 SSL3 Native AES SHA DHE/DSS 30: 22 DHE-RSA-DES-CBC3-SHA 192 SSL3 Native DES SHA EDH/RSA 31: 51 DHE-RSA-AES128-SHA 128 SSL3 Native AES SHA EDH/RSA 32: 50 DHE-DSS-AES128-SHA 128 SSL3 Native AES SHA DHE/DSS 33: 21 DHE-RSA-DES-CBC-SHA 64 SSL3 Native DES SHA EDH/RSA 34: 9 DES-CBC-SHA 64 SSL3 Native DES SHA RSA 35: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 36: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 37: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 38: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 39: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSAIn the example above I added SSLv3 to the DEFAULT cipher alias and now these ciphers are available as well and show up with low prioprity at the end of the list.
By adding additional parameters you can exclude i.e. unwanted RC4 ciphers by using the exclamation mark:
tmm --clientcipher 'DEFAULT:SSLv3:!RC4'If you found a applicable cipher string it will be necessary to adjust this parameter in the relevant client-ssl profile associated with the virtual server to terminate incoming SSL traffic.
Thanks
