Forum Discussion

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
May 25, 2016

Use iFile to when only TLS1.0 is being used.

I want to display a custom message to people who are using only TLS1.0 in their browsers as to why they cannot access the website. I used the code below to attempt to do what I wanted after uploading the ifile to the BigIP. Unfortunately I am still able to access the website when testing and am not redirected to the ifile.

 

How can I redirect users based on their TLS settings?

 

Thanks!

 

when HTTP_REQUEST {
    if { not ([SSL::cipher version] starts_with "TLSv1.") } {
        HTTP::respond 200 content [ifile get message.html] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Connection Close
    }
}
BIG-IP
devops
ifiles
irule
tls
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 25, 2016

    Hi,

    You should try adding a log in your irule to make sure that you negociate SSL using TLS1.0 

    when HTTP_REQUEST {

    log local0. "[virtual] - SSL version=[SSL::cipher version], client_ip=[IP::client_addr]"

    if { not ([SSL::cipher version] starts_with "TLSv1.") } {
        log local0. "[virtual] - SSL version=[SSL::cipher version], client_ip=[IP::client_addr], invalid SSL version"
        HTTP::respond 200 content [ifile get message.html] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Connection Close
    }
}
    • gdoyle's avatar
      gdoyle
      Icon for Cirrostratus rankCirrostratus
      May 25, 2016
      Stupid question: How do I view the log? Also, I discovered the the ifile was in the right place on the BigIP apparently. Once I added it there the website is being blocked, but the custom message is not being displayed. Once I can view the log I will see if the SSL/TLS is being negotiated.
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      May 25, 2016
      or using cli, you can execute the following command to get insight live : tailf /var/log/ltm
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 25, 2016

    Hi,

    You should try adding a log in your irule to make sure that you negociate SSL using TLS1.0 

    when HTTP_REQUEST {

    log local0. "[virtual] - SSL version=[SSL::cipher version], client_ip=[IP::client_addr]"

    if { not ([SSL::cipher version] starts_with "TLSv1.") } {
        log local0. "[virtual] - SSL version=[SSL::cipher version], client_ip=[IP::client_addr], invalid SSL version"
        HTTP::respond 200 content [ifile get message.html] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Connection Close
    }
}
    • gdoyle's avatar
      gdoyle
      Icon for Cirrostratus rankCirrostratus
      May 25, 2016
      Stupid question: How do I view the log? Also, I discovered the the ifile was in the right place on the BigIP apparently. Once I added it there the website is being blocked, but the custom message is not being displayed. Once I can view the log I will see if the SSL/TLS is being negotiated.
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      May 25, 2016
      or using cli, you can execute the following command to get insight live : tailf /var/log/ltm
  • gdoyle's avatar
    gdoyle
    Icon for Cirrostratus rankCirrostratus
    May 25, 2016

    It turns out I am having the same issue that I was having attempting to do this via an irule. There are other rules in place and they don't seem to agree perfectly.

     

    Ah well.