Redirect On Weak Encryption

Problem this snippet solves:

This rule illustrates how to redirect a client to an un-encrypted page with an informational error if the client does not have at least 128 bits of encryption.

This rule illustrates how to redirect a client to an un-encrypted page with an informational error if the client does not have at least 128 bits of encryption. The iRule uses the SSL::cipher command to get details on the selected SSL cipher.

This approach can be more user-friendly compared with disabling ciphers in the client SSL profile. Configuring the profile to refuse low ciphers can result in non-conforming clients receiving a TCP reset.

Note: Vulnerability scanners will detect that LTM supports low ciphers using this iRule. However, no low cipher requests will be able to reach the VIP's default pool, so the issue is moot.

Code :

# iRule Source for less than 128 bits

when HTTP_REQUEST {

   # Check for less than 128 bits of encryption
   if { [SSL::cipher bits] < 128 }{

      # When browser cannot do at least 128 bits of encryption 
      #   redirect to a un-encrypted page with an informational error.
      # Set cache control headers to prevent proxies from caching the response.
      # The cache control headers shouldn't be necessary for a 302, 
      #   but it doesn't do any harm setting them.
      HTTP::respond 302 Location "http://10.10.10.10/error/sslerr.html" Cache-Control No-Cache Pragma No-Cache Connection Close
   }
}

# iRule Source for less than TLS1.1

when HTTP_REQUEST {

# Check for less than TLSv1.1. This prevents SSLv2, SSLv3, TLSv1 (TLSv1.0 is returned as TLSv1 by [SSL::cipher version]).
switch -glob [SSL::cipher version] {
"TLSv1.*" {
# Do nothing and allow the request
}
default {
# When browser cannot negotiate at least TLSv1.1
#redirect to a unencrypted page with an informational error.
# Set cache control headers to prevent proxies from caching the response.
# The cache control headers shouldn't be necessary for a 302, 
#but it doesn't do any harm setting them.
HTTP::respond 302 Location "http://10.10.10.10/error/sslerr.html" Cache-Control No-Cache Pragma No-Cache Connection Close

# Log details of the SSL handshake and browser user-agent
# Consider using High Speed Logging instead to improve performance: https://devcentral.f5.com/s/wiki/iRules.hsl.ashx
log local0. "[IP::client_addr]:[TCP::client_port]:\
   \[SSL::cipher version\]: [SSL::cipher version],\
   \[SSL::cipher name\]: [SSL::cipher name],\
   \[SSL::cipher bits\]: [SSL::cipher bits],\
   U-A: [HTTP::header User-Agent]"
}
}
}
Published Mar 18, 2015
Version 1.0

Was this article helpful?

No CommentsBe the first to comment