First off i want to say thanks for the irule, This is very close to what we were looking to be able to complete some of our testing.
Question (By know means am i an irule expert or complaining) i am more just curious in your thoughts?
Was there a reason why you chose not to use CLIENT_ACCEPTED and CLIENT_DATA?
I know you can disable sslv3 via client ssl profile however in the case a profile is wildcarded *.domain.com
and same profile used on many VIP's. If you have a scenario where as you only want to test a few VIPs at a time that use the same clientside wildcarded profile.
It appears using this same irule above with a few minor modifications will work with SSL offloading and non SSL offloading clients, Thus using an irule per vip even if using the same ssl client profile will work to reject those connections.
Problem i am trying to solve now is to somehow send something back to client to alert them why we rejected instead of just a plain tcp reject.
i tried various options including TCP::respond to no avail.
Here is my test irule based upon above for non-ssl and ssl offload connections.
when CLIENT_ACCEPTED {
set Collect_Len 3
TCP::collect $Collect_Len
}
when CLIENT_DATA {
set Buf_Len [TCP::offset]
if { $Buf_Len < 3 } {
incr Collect_Len -$Buf_Len
TCP::collect $Collect_Len
return
}
binary scan [TCP::payload] cS Rec_Type Version
if { $Version <= 768 } {
log local0.notice "Rejecting SSLv3 or lower connection attempts from [IP::client_addr] to [IP::local_addr]"
reject
} else {
TCP::release
}
}
Thanks again,
ccna55