For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
May 25, 2016

Use iFile to when only TLS1.0 is being used.

I want to display a custom message to people who are using only TLS1.0 in their browsers as to why they cannot access the website. I used the code below to attempt to do what I wanted after uploading the ifile to the BigIP. Unfortunately I am still able to access the website when testing and am not redirected to the ifile.

 

How can I redirect users based on their TLS settings?

 

Thanks!

 

when HTTP_REQUEST {
    if { not ([SSL::cipher version] starts_with "TLSv1.") } {
        HTTP::respond 200 content [ifile get message.html] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Connection Close
    }
}
BIG-IP
devops
ifiles
irule
tls

18 Replies

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 25, 2016

    Hi,

    You should try adding a log in your irule to make sure that you negociate SSL using TLS1.0 

    when HTTP_REQUEST {

    log local0. "[virtual] - SSL version=[SSL::cipher version], client_ip=[IP::client_addr]"

    if { not ([SSL::cipher version] starts_with "TLSv1.") } {
        log local0. "[virtual] - SSL version=[SSL::cipher version], client_ip=[IP::client_addr], invalid SSL version"
        HTTP::respond 200 content [ifile get message.html] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Connection Close
    }
}
    • gdoyle's avatar
      gdoyle
      Icon for Cirrostratus rankCirrostratus
      May 25, 2016
      Stupid question: How do I view the log? Also, I discovered the the ifile was in the right place on the BigIP apparently. Once I added it there the website is being blocked, but the custom message is not being displayed. Once I can view the log I will see if the SSL/TLS is being negotiated.
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      May 25, 2016
      or using cli, you can execute the following command to get insight live : tailf /var/log/ltm
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 25, 2016

    Hi,

    You should try adding a log in your irule to make sure that you negociate SSL using TLS1.0 

    when HTTP_REQUEST {

    log local0. "[virtual] - SSL version=[SSL::cipher version], client_ip=[IP::client_addr]"

    if { not ([SSL::cipher version] starts_with "TLSv1.") } {
        log local0. "[virtual] - SSL version=[SSL::cipher version], client_ip=[IP::client_addr], invalid SSL version"
        HTTP::respond 200 content [ifile get message.html] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Connection Close
    }
}
    • gdoyle's avatar
      gdoyle
      Icon for Cirrostratus rankCirrostratus
      May 25, 2016
      Stupid question: How do I view the log? Also, I discovered the the ifile was in the right place on the BigIP apparently. Once I added it there the website is being blocked, but the custom message is not being displayed. Once I can view the log I will see if the SSL/TLS is being negotiated.
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      May 25, 2016
      or using cli, you can execute the following command to get insight live : tailf /var/log/ltm
  • gdoyle's avatar
    gdoyle
    Icon for Cirrostratus rankCirrostratus
    May 25, 2016

    It turns out I am having the same issue that I was having attempting to do this via an irule. There are other rules in place and they don't seem to agree perfectly.

     

    Ah well.