Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Block page for TLSv1.x or SSL connections

We have a web page/application that we want to reject connections from any client not using at least TLSv1.2. The way we were planning on doing that was to do this in IIS on the server. It would disallow access to the application and display a banner directing them to update their browser and/or OS to a more recent version. But it appears that since TLS is terminating on the F5, when the server-side TLS connection is established to IIS, it's preferring TLSv1.2 and IIS is never seeing the 1.0/1.1 or SSLv3 connections and thus no banner is displayed.

I'd like to block everything but TLSv1.2 at the F5 but also be able to display a page that explains that they need to update their browser rather than them just getting a generic "cannot connect to page" type of response. Not sure the best/easiest way to do this - would it be with an iRule or some block page via LTM policy? I've never done this before so any help would be appreciated.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] ne "TLSv1.2" ) } {
        set invalid_ssl 1
    } else {
        set invalid_ssl 0
    }
}
when HTTP_REQUEST {
    if { $invalid_ssl } {
        HTTP::redirect "http://www.example.com/upgradetls"
        TCP::close
    }
}

Here is an iRule from this article. This should suit your needs. You can also serve a custom response with an iFile

If you have any more questions, I am sure I can help

0
Comments on this Answer
Comment made 1 month ago by bsm1970 107

I'm confused, when I read that article, it looks like the above code isn't the solution. The first response says that the above only works by accident.

0
Comment made 1 month ago by Michael Saleem 335

From reading the article, Kai Wilke pointed out that using arithmetical comparison operators in the iRule to check SSL/TLS versions was not a good idea and could produce undesirable results

You can simply make a small change to the iRule as per Kai's advice. So something like this:

when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] ne "TLSv1.2" ) } {
        set invalid_ssl 1
    } else {
        set invalid_ssl 0
    }
}
when HTTP_REQUEST {
    if { $invalid_ssl } 
    HTTP::redirect "http://www.example.com/upgradetls"
    TCP::close
}

1
Comment made 1 month ago by bsm1970 107

I'm new to iRule syntax. I'm assuming "ne" means "not equal to", correct?

0
Comment made 1 month ago by Rico 864

Michael is correct. I forgot to change the comparison but the iRule itself should be fine. Since you only want to use TLSv1.2, this is a simple and effective way to refuse all other ciphers.
Thanks for the assist, Michael!

2
Comment made 1 month ago by bsm1970 107

Also, when I put the revised iRule code in, it won't save it. Gave an error that says "error: [missing a script after "if"][ ]"

Thoughts?

0
Comment made 1 month ago by bsm1970 107

I think I figured it out. It's missing a "then" statement after the "if { $invalid_ssl } and another closing } after "HTTP::redirect "http://www.example.com/upgradetls";

1
Comment made 1 month ago by Rico 864

Ive updated the syntax on the irule

1
Comment made 4 weeks ago by bsm1970 107

I've got this working, but I have a question. Right now it's only allowing TLSv1.2, but 1.3 is around the corner. How can I set this up to accept 1.2 AND 1.3 but nothing else. I tried several ways of doing it and it either caused the rule to redirect for everything (even when using 1.2 for instance) or the iRule editor didn't like the syntax.

0
Comment made 4 weeks ago by Rico 864

Try changing the if statement to this:

if { ( [SSL::cipher version] ne "TLSv1.2" ) and ( [SSL::cipher version] ne "TLSv1.3" ) } {

This should look for anything that is not either TLS 1.2 or TLS 1.3

1
Comment made 4 weeks ago by bsm1970 107

That did it! Thanks everyone!

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Please see my post here, especially my last comment on the bottom of the page:

https://devcentral.f5.com/questions/tls-10-pci-and-a-custom-message-for-http-response-status-codes-55672

0