Forum Discussion

Kharsma_176894's avatar
Kharsma_176894
Icon for Nimbostratus rankNimbostratus
Dec 19, 2014

using iRules to figure out how many SSLv3 connections

Hey everyone,

 

I am working on trying to get rid of SSLv3, but have a lot of legacy clients/apps that may not support TLS yet. I came across an iRule that I tweaked in a way that I thought might work for logging all SSLv3 connections. Can someone validate this or maybe suggest a better method? FYI: I'm pretty new to the iRule langauge, so this may be a poorly written rule.

 

when HTTP_REQUEST { set cipherSuite [SSL::cipher version] } when SERVER_CONNECTED { set vNAME [IP::server_addr] if { $cipherSuite equals "SSLv3" } { log local0. "SSL3 connection detected from [IP::client_addr] for server at [$vName]" } }

 

Thanks!!

 

Kharsma

 

    • shaggy's avatar
      shaggy
      Icon for Nimbostratus rankNimbostratus
      you can also use: tmsh show ltm profile client-ssl (profile-name) it includes stats similar to: Protocol SSL Protocol Version 2 0 SSL Protocol Version 3 2.4K TLS Protocol Version 1.0 1.1M TLS Protocol Version 1.1 337.8K TLS Protocol Version 1.2 2.6M DTLS Protocol Version 1 0
  • Thanks for the info guys. I'm not very fluent in the iControl world, any good links for iControl usage?, but tmsh commands should prove useful.

     

  • You can get the iControl library for a variety of different languages.Look here for some links to different ones.

     

    Regarding usage information on iControl, this may be your best bet for an overview. The downloads may have language specific usage instructions.

     

    Also, you could consider the newer iControlRest option. Here's a link to the user guide.