pci

3 Topics

TLS/1.0, PCI, and a custom message for HTTP response status codes
By June 30, 2018 we would like to turn off TLS/1.0 on all our HTTPS websites, in order to be compliant with PCI requirements. Instead of just turning TLS/1.0 off, we would like to use that time between now and June 30, 2018 to seamlessly phase the TLS/1.0 out. To do so, our F5 still supports all TLS protocols (TLS/1.0, TLS/1.1, and TLS/1.2), but only the clients supporting TLS/1.1 and above get the actual website content. Everyone else (clients supporting TLS/1.0 only) gets a custom error page informing them about the browser upgrade requirement. To achieve that, I'm using the HTTP status code "426 Upgrade Required". Please see: 4.2 Mandatory Advertisement in RFC2817 Server-initiated upgrade to TLS The expected result is: HTTP/1.1 426 Upgrade Required Upgrade: TLS/1.1, HTTP/1.1 Connection: Upgrade ... Human-readable HTML page describing why the upgrade is required and what to do if this text is seen ... Unfortunately, F5 gives me the following result: HTTP/1.1 426 Unknown Code Upgrade: TLS/1.1, HTTP/1.1 Connection: close ... Human-readable HTML page describing why the upgrade is required and what to do if this text is seen ... My iRule looks like this: Detect TLSv1.0 protocol and send HTTP 426 when HTTP_REQUEST priority 150 { if { [SSL::cipher version] equals "TLSv1" } { log local0. "TLS/1.0 connection detected from [IP::client_addr] for [HTTP::host]" HTTP::respond 426 -version auto content $static::obsolete_browser_page noserver "Upgrade" "TLS/1.1, HTTP/1.1" "Content-Type" "text/html" "Cache-Control" "no-cache" "Retry-After" "60" "Connection" "Close" event disable return } } If I use "Connection" "Upgrade" in the HTTP::respond code, as defined in the aforementioned RFC2817, F5 replaces it with Connection: Keep-Alive in the actual response which is being sent back to the client. My questions are: Question 1: is there a way in F5 to replace the message in HTTP response, so that it says: HTTP/1.1 426 Upgrade Required instead of HTTP/1.1 426 Unknown Code Question 2: is there a way to force F5 to send HTTP header that says: Connection: Upgrade instead of Connection: close or Connection: Keep-Alive
Juraj_314736
Nov 23, 2022 Place Technical Forum
777Views
0likes
5Comments
python show running-config
I am trying to get a Python script to output the running config of my F5, to show everything from authentication to pools to ntp settings. With TMSH/SSH it's so easy doing 'show running-config' and then saving that output. Is there anything similar to this that I can do with the Python F5-SDK? I am trying to generate this in a cleaner fashion than 'show running-config' does it as I use this for PCI compliance evidence. Any help would be appreciated. To muddy the waters a bit I am EXTREMELY new to F5 products.
Solved
dvalve_376192
Apr 28, 2020 Place Technical Forum
2.9KViews
0likes
10Comments
PCI Implications of an LTM
Hello All, I am decommissioning a pair of LTM running 9.4.8. I need to remove them from the datacenter but the business is concerned that there might be PCI data on it. Credit cards were processed over the traffic that transversed these LTMs. I let them know that the LTM would not store data that is going over it's wires but they want to be sure and want some kind of documentation confirming this. I ran several searches but can not find such documentation. Can anyone point me to information that could alleviate their PCI concerns? Additional note: Web acceleration is not running on these. Would there be anything else I would look for that might cache traffic? Thanks!
Solved
murphs76_64953
Feb 27, 2014 Place Technical Forum
409Views
0likes
2Comments