Forum Discussion
madi_56757
Nimbostratus
Nimbostratusverifying ssl encryption
Hello
Is it possible to verifying in a irule the client encrypton of ssl
The problem is i will configure a VIP to terminate the SSL (443)
and if the encryption gre...
Thomas_SchaeferNimbostratus
NimbostratusAaron,
I agree. I tried it all ways: iRule in HTTP_REQUEST, iRule in CLIENTSSL_HANDSHAKE, and on the profile.
If I check the cipher strength in CLIENTSSL_HANDSHAKE and reject the request if the bits are < 128, this handles the scanners OK, but I still cannot do the redirect.
I was thinking that I could just send a reply on the wire that looked like an HTTP response, but as the client has not made an HTTP request, there is no way to handle that. I did just tell our security team that this is the way it is. They can verify that we do not allow the traffic with a lower strength cipher, and chalk the rest up to a false positive.
Note I do like the fact while the docs for the CLIENTSSL_HANDSKARE state this event is fired when the SSL connection is done, if you reject in there, you actually do stop the processing. So, it is really "The CLIENTSSL_HANDSHAKE event is called as the last step of session negotiation". If this event does not complete processing, the SSL session is terminated. The docs stating that this is when it is finished was a bit misleading.
Thanks,
Tom
