Disablling SSL v2 to users with iRules

Question

I'm looking at capturing users who use an older browser which negotiates with SSL v.2 and redirecting them to a page that basically tells them to upgrade.&nbsp;
&nbsp;My questions are these:&nbsp;
&nbsp;1) Can I use SSL::cipher version to determine if the user is using version 2, then redirecting them to this friendly page or should I use another SSL irule?&nbsp;
&nbsp;2) Do I need to terminate SSL on the LTM for this to work or can termination be done at the web server level?&nbsp;
&nbsp;Thanks...&nbsp;&nbsp;&nbsp;

douglas_wong_10 · Answer

Thanks for your reply Hoolio. &nbsp;
&nbsp;It sounds like I'll need to terminate SSL on BigIP, rather than installing the certificate on my Web Server directly for the SSL:: irules to work. Does that sound right to you?

hooleylist · Answer

It looks like that is correct.  I think the logic is: if you're just passing the SSL traffic through the BIG-IP, BIG-IP never sees the SSL handshake--and therefore you can't access the SSL cert info or use SSL-based iRule commands.  I'm not sure whether the client SSL cipher version info is snoop-able in between the client and the server, but I'm pretty sure BIG-IP isn't looking for it (if it is visible) anyhow.&nbsp;
&nbsp;Regardless, you need to decrypt the HTTPS traffic in order to send an HTTP redirect back to the client.&nbsp;
&nbsp;Aaron

Forum Discussion

Disablling SSL v2 to users with iRules

2 Replies

Recent Discussions

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

DEVCENTRAL END-USER LICENSE AGREEMENT

Update your DevCentral user profile

Disabling Weak Ciphers

Irule for diverting blocked gelocation users to a page

Disable cookie persistance in irule