Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Display a warning on client browser when cipher suite mismatch

Go to solution
L__G_
Altostratus
Altostratus

‎31-Mar-2022 01:32

Hello,

We have a ssl profile with a very limited ciphers suite (TLS1.2, TLS1.3 and other limitations).

Is it possible to display a warning message on a browser when there is no match between browser cipher suite and our VS SSL profile cipher suite (via irule, policy, ...) ?

For example when client uses TLS 1.0, we want its browser to display a "please update your browser" or a "your cipher is not permited on our site" message.

Thank you for your help

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Dario_Garrido
MVP
MVP

‎01-Apr-2022 02:19 - edited ‎01-Apr-2022 02:20

Hello L__G_

When you use an HTTPS scheme in your browser, you are asking the browser to perform a TLS handshake before sending any HTTP traffic. If both ciphers don't match, you will receive a TLS Alert during the TLS handshake and the connection will be interrupted.

To respond with a specific message, you should send somehow an HTTP traffic response without encryption, but you cannot respond with an HTTP packet because:
1. Your TLS handshake was finished abruptly
2. In HTTP, you only respond to queries that were initiated by the client, and you didn't send any query to the server because the TLS was interrupted.

So, this is technically restricted by the protocol.

 

Regards,
Dario.

View solution in original post

5 REPLIES 5

Go to solution
Dario_Garrido
MVP
MVP

‎01-Apr-2022 02:19 - edited ‎01-Apr-2022 02:20

Hello L__G_

When you use an HTTPS scheme in your browser, you are asking the browser to perform a TLS handshake before sending any HTTP traffic. If both ciphers don't match, you will receive a TLS Alert during the TLS handshake and the connection will be interrupted.

To respond with a specific message, you should send somehow an HTTP traffic response without encryption, but you cannot respond with an HTTP packet because:
1. Your TLS handshake was finished abruptly
2. In HTTP, you only respond to queries that were initiated by the client, and you didn't send any query to the server because the TLS was interrupted.

So, this is technically restricted by the protocol.

 

Regards,
Dario.

Go to solution
L__G_
Altostratus
Altostratus
In response to Dario_Garrido

‎04-Apr-2022 00:35

Hello Diaro_Garrido.

After my readings, I didn't have high hopes on this point. Thank you for your help.

0 Kudos

Go to solution
MaximP
Cirrus
Cirrus

‎01-Apr-2022 03:45 - edited ‎01-Apr-2022 05:38

L__G_, hello.

There is an option. You can create less strong SSL profile, that supports, let's say, TLSv1, but response with a sorry page for users who use TLSv1. In that case you have to allow unwanted chiper suites, but you don't process this unsecure traffic to an application.

Example Irule below

 

 

 

when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] equals "TLSv1" ) } {
        set Invalid_SSL 1
    } else {
        set Invalid_SSL 0
    }
}
when HTTP_REQUEST {
  if { $Invalid_SSL == 1 } {
    HTTP::respond 200 content "<html><head><title>HTTP Request denied</title></head><body>Please update your browser</body></html>"  
    return
  }
}

 

 

 

  

Go to solution
Dario_Garrido
MVP
MVP
In response to MaximP

‎01-Apr-2022 05:28 - edited ‎01-Apr-2022 05:31

 

Sure, filtering at app level is possible.

Great approach!

Regards,
Dario.

Go to solution
L__G_
Altostratus
Altostratus
In response to MaximP

‎04-Apr-2022 00:30

Hello MaximP,

Thank you for your reply.

Unfortunatly, our Security Manager wants our profile to be TLSv1.2 or TLS 1.3.

It seems there is no solutions except a browser error.

Thank you again for your help.

0 Kudos
Copyright © 2023 Khoros, LLC