Forum Discussion
madi_56757
Nimbostratus
Nimbostratusverifying ssl encryption
Hello
Is it possible to verifying in a irule the client encrypton of ssl
The problem is i will configure a VIP to terminate the SSL (443)
and if the encryption gre...
hoolio
Cirrostratus
CirrostratusHi Tom,
It's a 'one or the other' situation. If you want to pass the pentest check you need to disallow the cipher in the SSL profile or using an iRule to prevent the SSL handshake from completing. Doing so prevents you from completing the handshake and sending an HTTP response to clients with a low cipher.
I think the former option is a bad one because it blocks clients from accessing the VIP with no indication of why. So they just see a 'page cannot be displayed' error in the browser and assume the site is down. Completing the handshake with a low cipher and sending an HTTP response indicating the client must upgrade their browser to use the site is much better for user experience. And it's not a security issue because any client trying to use a low cipher won't be able to access the app. It's just a reporting issue because a pen test will give a false positive.
Aaron
