Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule for checking connection's SSL/TLS protocol version

Hi,

In view of POODLE, we are going to disable SSLv3. And we want to find out those clients that are still using it before implementation. But it seems that there are no method to check connection's SSL/TLS protocol version in iRule.

SSL::cipher version only tells the protocol version that introduce the negotiated cipher. And there are no event for intercepting traffic from ADC to client.

I wonder if there are any function in iRule that can do that.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Are you looking to gauge the number of SSLv3 requests or are you wanting to intercept the connection and do something else?

If it's the former, you can view statistics under Overview -> Statistics -> Local Traffic -> Statistics Type (Profile Summary) -> Client SSL

0
Comments on this Answer
Comment made 20-Oct-2014 by Manuel 384
I haven't been able to find that Gauge. What version should the LTM be running?
0
Comment made 20-Oct-2014 by kwkyiu 5
Both v10 & v11 had it, if you want per profile stat, use "tmsh show / ltm profile client-ssl"
0
Comment made 20-Oct-2014 by kwkyiu 5
We are going to log those client IPs, so statistic is not we are looking for
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Check out the following link, You could customize the iRule to suit your purposes.

https://devcentral.f5.com/articles/irule-to-stop-sslv3-connections

0
Comments on this Answer
Comment made 20-Oct-2014 by kwkyiu 5
We are using SSL termination (client SSL profile only) thus that iRule does not work. The problem is that there are no event that can intercept ADC to client traffic (we got CLIENT_DATA for client to ADC and SERVER_DATA for server to ADC)
0