The logjam vulnerabilities described here do not impact ssl traffic offloaded by BIG-IP unless select COMPAT ciphers are enabled by an administrator. However, for ssl traffic that is not offloaded at the BIG-IP, but simply load balanced to back end servers, the clients are at risk for a man-in-the-middle attack if both client and server are vulnerable.
This iRule will check for any Diffie-Hellman EXPORT ciphers (as listed in RFC 2246) being offered by the client and will reject the connection if it finds one.
How to use this snippet:
Apply this iRule (with associated data-group) to any ssl virtual that is NOT offloading ssl but DOES load balance ssl traffic for vulnerable servers. Tested in 11.2.1 and 11.6, but should work in all versions.