Forum Discussion

Nimbostratus

Jan 13, 2015

Trying to use iRule/s to redirect SSLv3 and while allowing other IP using SSLv3

as part of the poodle migration I have used the following to redirect bad browsers when HTTP_REQUEST { if { [SSL::cipher version] eq "SSLv3" } { HTTP::respond 302 Location "http://co...

Nacreous

Jan 13, 2015

Hi Dave, here is a tested iRule to permit SSLv3 for specified clients:

priority 100
when RULE_INIT {
     Enable/disable debugging
    set static::debug_rule_ssl_test 1
}
when CLIENTSSL_HANDSHAKE {
     Log client-ssl handshake parameters
    if { $static::debug_rule_ssl_test > 1 } {
        log local0. "client-ssl <[IP::client_addr]> > <[IP::local_addr]:[TCP::local_port]> (<[SSL::cipher name]>:<[SSL::cipher version]>:<[SSL::cipher bits]>)"
    }
    if {([SSL::cipher version] equals "SSLv3") && ! ([class match [IP::client_addr] equals datagroup_sslv3_client_whitelist ])} {
        if { $static::debug_rule_ssl_test > 0 } {
            log local0. "client-ssl <[IP::client_addr]> > <[IP::local_addr]:[TCP::local_port]> (<[SSL::cipher name]>:<[SSL::cipher version]>:<[SSL::cipher bits]>)"
        }
        drop
    }
}

Please make sure to have a datagroup (type "IP address") containing permitted client IP addresses or networks.

Your client-ssl profile needs to allow SSLv3. Otherwise the condition will never tested. Please be aware, that with v11.5.1 later hotfixes the SSLv3 is disabled by default and has to be enabled via including it into the SSL ciper string settings.

Thanks,

Stephan

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)