SSL Heartbleed iRule update

Get the latest updates on how F5 mitigates HeartbleedGet the latest updates on how F5 mitigates Heartbleed

For those of you tuning in to learn more about the OpenSSL Heartbleed vulnerability, here are more details about it and how F5 customers are protected. The iRule below mitigates the Heartbleed vulnerability for virtual servers that do not use SSL termination.
 

This iRule will find any heartbeat request from a client and close the connection immediately. We believe this is an effective mitigation because we have not seen any clients that send a valid heartbeat request, even if they do advertise heartbeat support.

Most of the malicious clients we've seen don't bother to do a full TLS handshake; they start the handshake, then send the malicious heartbeat request. This iRule works even if someone writes a malicious client that negotiates the full SSL handshake then sends an encrypted heartbeat reqest.

##############################################
# Name: heatbleed.c rejector irule.
# Description: This irule is a tweak to https://devcentral.f5.com/s/articles/ssl-heartbleed-irule-update
# Purpose: to block heartbleed requests.
# - added check for 768 and 769 ( SSLv3 and TLSv1 )
# - Ensure r is a positive value. This only happens when there is no valid SSL record.
# VERSION: 4 - 16.apr.14
##############################################
when CLIENT_ACCEPTED {
    TCP::collect
    set s 0
    set r 0
}
when CLIENT_DATA {
    set c [TCP::payload length]
    set i 0
    while { $i < $c } {
        set b [expr {$c - $i}]
        if { $s } {
            # skipping payload
            if { $b >= $r } {
                set s 0
                set i [expr {$i + $r}]
            } else {
                set r [expr {$r - $b}]
                set i [expr {$i + $b}]
            }
        } else {
            # parsing TLS record header
            if { $b < 5 } {            
               break
            }
            binary scan [TCP::payload] @${i}cSS t v r
            set r [expr {$r & 0xFFFF}]
            set i [expr {$i + 5}]
            if { $t == 24 }{
                switch -- $v {
                    "768" -
                    "769" -
                    "770" -
                    "771" -
                    "772" {
                         log local0. "Detected Heartbeat Request from [IP::remote_addr]. REJECTING!"
                         reject
                    }
                }
            }
            set s 1
        }
    }
    TCP::release $i
    TCP::collect
}

If you have clients that do issue valid heartbeat requests,we have a server side iRule that will only pass valid short heartbeat responses at the cost of a small performance penalty.

Updated Mar 18, 2022
Version 2.0
application delivery
devops
heartbleed
iRules
openssl
Security