cancel
Showing results for 
Search instead for 
Did you mean: 
Jeff_Costlow_10
Historic F5 Account

The below iRule written by my team will stop all SSLv3 connections. If you are not using the SSL termination capabilities of your BIG-IP and instead are doing TCP load balancing, then the iRule will protect your servers from the POODLE attack.
If you are doing SSL termination at the BIG-IP, then follow the instructions in the previous article .

Please be sure to test this thoroughly in your production environment. Be sure to check any embedded devices or dedicated devices that might have older legacy software installed.

##############################################
# Name: stop_ssl3 iRule
# Description: This irule will reject any attempt to connnect using
# an SSL3 or lower client.
# VERSION: 3 - 16.oct.14
##############################################
 
when SERVER_CONNECTED {
  set Debug 1
  set Collect_Len 3
  TCP::collect $Collect_Len
}
 
when SERVER_DATA {
  set Buf_Len [TCP::offset]
  if { $Buf_Len < 3 } {
    incr Collect_Len -$Buf_Len
    TCP::collect $Collect_Len
    return
  }
  binary scan [TCP::payload] cS Rec_Type Version
  if { $Version <= 768 } {
    log local0. "stop_ssl3: Rejecting SSL3 or lower connection attempt from [IP::client_addr]"
    reject
  } else {
    TCP::release
  }
}

 

Comments
ccna55_14039
Nimbostratus
Nimbostratus
First off i want to say thanks for the irule, This is very close to what we were looking to be able to complete some of our testing. Question (By know means am i an irule expert or complaining) i am more just curious in your thoughts? Was there a reason why you chose not to use CLIENT_ACCEPTED and CLIENT_DATA? I know you can disable sslv3 via client ssl profile however in the case a profile is wildcarded *.domain.com and same profile used on many VIP's. If you have a scenario where as you only want to test a few VIPs at a time that use the same clientside wildcarded profile. It appears using this same irule above with a few minor modifications will work with SSL offloading and non SSL offloading clients, Thus using an irule per vip even if using the same ssl client profile will work to reject those connections. Problem i am trying to solve now is to somehow send something back to client to alert them why we rejected instead of just a plain tcp reject. i tried various options including TCP::respond to no avail. Here is my test irule based upon above for non-ssl and ssl offload connections. when CLIENT_ACCEPTED { set Collect_Len 3 TCP::collect $Collect_Len } when CLIENT_DATA { set Buf_Len [TCP::offset] if { $Buf_Len < 3 } { incr Collect_Len -$Buf_Len TCP::collect $Collect_Len return } binary scan [TCP::payload] cS Rec_Type Version if { $Version <= 768 } { log local0.notice "Rejecting SSLv3 or lower connection attempts from [IP::client_addr] to [IP::local_addr]" reject } else { TCP::release } } Thanks again, ccna55
ccna55_14039
Nimbostratus
Nimbostratus
Sorry for the bad format, i was not able to review before submit. ccna55
kwkyiu_53019
Nimbostratus
Nimbostratus
SERVER_DATA is used as client only propose the Max SSL/TLS version it will use. Server shall response with SSL/TLS version that is the negotiated version. So checking CLIENT_DATA will miss cases like client propose TLS 1.2 and server response with SSL 3.0
ccna55_14039
Nimbostratus
Nimbostratus
In our case we didnt want the server nor client responding to sslv3. Thanks for the info. ccna55
boktai1000_1750
Nimbostratus
Nimbostratus
Hello ccna55, I would be very interesting in receiving your modified iRule (you mentioned with a few minor modifications that it will work with SSL offloading and non SSL offloading clients). We have SSL termination on almost every VIP on our F5 BIG-IP, and being able to turn SSLv3 on and off is very desirable for us. I have search devcentral for such a script, and maybe I haven't looked hard enough or overlooked something, but my research has led me here and I am wondering if you are willing to share this with the community. Thanks!
ccna55_14039
Nimbostratus
Nimbostratus
As requested here is the script i used. I give Jeff all the Credit for this, i just took his script and modified it for my own usage. I have tested this successfully on many vips as i mentioned with or without SSL offloading. Issue you will have is this is all happening at Layer4 thus no way (That i have found yet) to alert client to why you rejected or dropped them. Here is the modified script i used. Name: Block-SSLV3-and-Lower2-TCPLayer Description: This irule will reject any attempt to connnect using an SSL3 or lower client. This is at the TCP layer you cant send a html page back to user. This will work for types of connections ssl-offload and no ssl-offload. Just needs to use the TCP profile. when CLIENT_ACCEPTED { set Collect_Len 3 TCP::collect $Collect_Len } when CLIENT_DATA { set Buf_Len [TCP::offset] if { $Buf_Len < 3 } { incr Collect_Len -$Buf_Len TCP::collect $Collect_Len return } binary scan [TCP::payload] cS Rec_Type Version if { $Version <= 768 } { log local0.notice "Rejecting SSLv3 or lower connection attempts from [IP::client_addr] to [IP::local_addr]" reject } else { TCP::release } }
ccna55_14039
Nimbostratus
Nimbostratus
Sorry again for the format, i tried the 4 space/tab option to paste the code in the correct format. However as you can see it didn't work. If someone needs the code send me a message and i will send it to you. I am unsure how to paste the code in nice format. Sorry, ccna55
boktai1000_1750
Nimbostratus
Nimbostratus
Awesome, thanks ccna55! I am a bit worried about the formatting though, you could try pasting it on a website like pastebin (http://pastebin.com/) and posting a link here? I believe that will fix the formatting and make it a lot more readable to other viewers as well. Again, thanks so much for following up!
RobertColbert
Nimbostratus
Nimbostratus
If you want more control over what happens to the connection (i.e. redirect to another page) you could use something like this: when HTTP_REQUEST { set cipherSuite [SSL::cipher version] if { $cipherSuite equals "SSLv3" } { log local0. "SSL3 connection detected from [IP::client_addr] for [virtual name]" HTTP::redirect http://noSSLv3/page.html TCP::close } }
RobertColbert
Nimbostratus
Nimbostratus
If you want more control over what happens to the connection (i.e. redirect to another page) you could use something like this: [code] when HTTP_REQUEST { set cipherSuite [SSL::cipher version] if { $cipherSuite equals "SSLv3" } { log local0. "SSL3 connection detected from [IP::client_addr] for [virtual name]" HTTP::redirect http://noSSLv3/page.html TCP::close } } [/code]
BBDNA_8471
Nimbostratus
Nimbostratus
@ccna55 I have gone ahead and cleaned this up and posted to pastebin as some had suggested. Thank you very much for this! http://pastebin.com/nFnyc6iG
Version history
Last update:
‎18-Mar-2022 10:00
Updated by: