Enforcing SSL Ciphers from target external IP's?

Question

Is it possible with iRules for me to enforce a SSL cipher level for a select group of external IP's that are accessing a shared website?&nbsp;
&nbsp;Thanks for anyone that can spare some advice or if possible a starting point.&nbsp;&nbsp;

joe_pruitt · Answer

Sure it's possible.  The questions is how many external IPs are you looking at.  Is it a list of addresses, or subnets.  
Here's how you could do it for a set of fixed addresses*** Begin Data Group ***
class valid_addresses {
  "10.10.10.10"
  "10.10.10.11"
  "10.10.10.12"
}
*** Begin iRule ***
when HTTP_REQUEST {
  if { [matchclass [IP::client_addr] equals $::valid_addresses] } {
     check for at least 128 bits of encryption
    if { [SSL::cipher bits] &lt; 128 }{
       when browser cannot do at least 128 bits of encryption redirect
       to a un-encrypted page with an informational error
      HTTP::redirect http://10.10.10.10/error/sslerr.html
    }
  }
}
This should at least get you started...
-Joe

Forum Discussion

Enforcing SSL Ciphers from target external IP's?

1 Reply

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Enforce Server Cipher proposal in preferred order

Cipher Suites Supported (12.1.5.3)

BoT Defense Profile, Signature Enforcement

LTM Cipher rule

Disabling Weak Ciphers