Forum Discussion
Jan 14, 2015
Hi Dave, here is a tested iRule to permit SSLv3 for specified clients:
priority 100
when RULE_INIT {
Enable/disable debugging
set static::debug_rule_ssl_test 1
}
when CLIENTSSL_HANDSHAKE {
Log client-ssl handshake parameters
if { $static::debug_rule_ssl_test > 1 } {
log local0. "client-ssl <[IP::client_addr]> > <[IP::local_addr]:[TCP::local_port]> (<[SSL::cipher name]>:<[SSL::cipher version]>:<[SSL::cipher bits]>)"
}
if {([SSL::cipher version] equals "SSLv3") && ! ([class match [IP::client_addr] equals datagroup_sslv3_client_whitelist ])} {
if { $static::debug_rule_ssl_test > 0 } {
log local0. "client-ssl <[IP::client_addr]> > <[IP::local_addr]:[TCP::local_port]> (<[SSL::cipher name]>:<[SSL::cipher version]>:<[SSL::cipher bits]>)"
}
drop
}
}
Please make sure to have a datagroup (type "IP address") containing permitted client IP addresses or networks.
Your client-ssl profile needs to allow SSLv3. Otherwise the condition will never tested. Please be aware, that with v11.5.1 later hotfixes the SSLv3 is disabled by default and has to be enabled via including it into the SSL ciper string settings. Thanks, Stephan