Forum Discussion

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
May 25, 2016

Use iFile to when only TLS1.0 is being used.

I want to display a custom message to people who are using only TLS1.0 in their browsers as to why they cannot access the website. I used the code below to attempt to do what I wanted after uploading...
BIG-IP
devops
ifiles
irule
tls
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
May 25, 2016

Hi,

You should try adding a log in your irule to make sure that you negociate SSL using TLS1.0 

when HTTP_REQUEST {

    log local0. "[virtual] - SSL version=[SSL::cipher version], client_ip=[IP::client_addr]"

    if { not ([SSL::cipher version] starts_with "TLSv1.") } {
        log local0. "[virtual] - SSL version=[SSL::cipher version], client_ip=[IP::client_addr], invalid SSL version"
        HTTP::respond 200 content [ifile get message.html] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Connection Close
    }
}
  • gdoyle's avatar
    gdoyle
    Icon for Cirrostratus rankCirrostratus
    May 25, 2016
    Stupid question: How do I view the log? Also, I discovered the the ifile was in the right place on the BigIP apparently. Once I added it there the website is being blocked, but the custom message is not being displayed. Once I can view the log I will see if the SSL/TLS is being negotiated.
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 25, 2016
    You can go to System >> Logs >> Local Traffic
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 25, 2016
    or using cli, you can execute the following command to get insight live : tailf /var/log/ltm
  • gdoyle's avatar
    gdoyle
    Icon for Cirrostratus rankCirrostratus
    May 25, 2016
    Ok, so it looks like the conversation is working... Sequence of events in my pcap: Syn....... Syn, Ack ....... Ack ....... Client Hello ....... Server Hello, Certificate, Server Hello Done ....... Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message ....... 443 -> 56501 [ACK] ....... Change Cipher Spec, Encrypted Handshake Message ....... Application Data, Application Data ....... 443 -> 56501 [ACK] ....... 443 -> 56501 [RST, ACK] ....... So you can see it is being reset at the end. Then the cycle repeats a few more times and stops.
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 25, 2016
    Hi, you should import this pcap in wireshark. You will probably find something wrong at the SSL level. You can also try your irule from within the bigip itself by executing the following command : openssl s_client -connect VS_IP:443 -tls1
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 25, 2016
    After executing this command, you can try a GET / and see the result. If everything goes fine, you should get the message from the ifile
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 25, 2016
    can you also check in your ltm logs to find if there is tcl errors on the irule execution