Forum Discussion
Kai_Wilke
Jan 09, 2016MVP
Hi Visvesh,
you can use the iRule below as a startingpoint.
It performs the chipher checks during
CLIENTSSL_HANDSHAKE
to speed up keep-alive sessions. And then just triggers the [HTTP::redirect]
during HTTP_REQUEST
to send the friendly error message...
when CLIENTSSL_HANDSHAKE {
if { ( [SSL::cipher version] contains "SSL" ) or
( [SSL::cipher name] contains "DES" ) or
( [SSL::cipher name] contains "RC4" ) or
( [SSL::cipher bits] < 128 ) } then {
log local0. "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits]"
set invalid_ssl 1
} else {
set invalid_ssl 0
}
}
when HTTP_REQUEST {
if { $invalid_ssl } then {
HTTP::redirect http://www.domain.de/errorpage.html
}
}
You may also take a look to Stephans chipher sheet if you need to tweak the contained chipher values.
https://devcentral.f5.com/questions/tmos-ssl-tls-cipher-cheat-sheetanswer131007
Cheers, Kai