Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

CLIENT_HELLO SSL TLS version insert

Go to solution
JO_JO
Nimbostratus
Nimbostratus

‎17-May-2023 00:34


CLIENT_HELLO SSL/TLS version insert

HELLO,

I want to insert the SSLv3, TLSv1, TLSv1.1 version in the HTTP header

The name of the HTTP header is "version"

I must use irule

when CLIENTSSL_CLIENTHELLO {
set version [SSL::cipher version]
}

when HTTP_REQUEST {
if {[class match $version equals tls-version ]} {
HTTP::header "version = $version"
}
}

In the data group tls-version, I defined SSLv3,TLSv1, TLSv1.1

It does not work

What's the problem?

Is there a better way?

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Enes_Afsin_Al
MVP
MVP

‎17-May-2023 04:23

Hi JO_JO,

"insert" command is required to add http header. Can you try this iRule?

when HTTP_REQUEST {
	if { [class match [SSL::cipher version] equals tls-version] } {
		HTTP::header insert "version" [SSL::cipher version]
	}
}

 

View solution in original post

2 REPLIES 2

Go to solution
423479
Nimbostratus
Nimbostratus

‎17-May-2023 01:09

Hello,

The problem with your iRule is that you're attempting to compare the value of the version variable to the data group tls-version using the class match command. However, the class match command is used to match against a predefined class, not a data group.

To fix this issue, you can modify your iRule as follows:

when CLIENTSSL_CLIENTHELLO {
set version [SSL::cipher version]
}

when HTTP_REQUEST {
if {[class match [string toupper $version] equals tls-version]} {
HTTP::header replace "version" "$version"
}
}

In this updated iRule, we convert the version variable to uppercase using string toupper to ensure a case-insensitive match. Then, we compare it to the class tls-version. If there is a match, we replace the existing version header (if present) with the value of the version variable.

Make sure you have defined the data group tls-version properly with the values "SSLv3", "TLSv1", and "TLSv1.1".

Note: It's important to mention that SSLv3 and TLSv1.1 are considered insecure and deprecated protocols. It's highly recommended to use more secure versions like TLSv1.2 or TLSv1.3.

 

 

0 Kudos

Go to solution
Enes_Afsin_Al
MVP
MVP

‎17-May-2023 04:23

Hi JO_JO,

"insert" command is required to add http header. Can you try this iRule?

when HTTP_REQUEST {
	if { [class match [SSL::cipher version] equals tls-version] } {
		HTTP::header insert "version" [SSL::cipher version]
	}
}

 

Copyright © 2023 Khoros, LLC