Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

redirect to ifile page if TLS 1 or 1.1 is used

Hello,

Kindly note that the following irule was applied on VS but its not working properly :

when HTTP_REQUEST { if { [SSL::cipher version] eq "TLSv1" } { HTTP::respond 503 content [ifile get maintenance] } }

As per the below ifile exists and verified on cli : As well on firefox im forning to use TLS v1

[root@f5-IB-1:Active:In Sync] config # tmsh list sys file ifile sys file ifile maintenance { checksum SHA1:714:28de1ccd8407b517163fdcdc352ae847f46df53c create-time 2018-01-09:10:07:18 created-by admin last-update-time 2018-01-09:10:07:18 mode 33188 revision 1 size 714 updated-by admin

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Abouleil,

Try the following code

when HTTP_REQUEST { 
    if { [SSL::cipher version] eq "TLSv1" ||  [SSL::cipher version] eq "TLSv1.1"} { 
        HTTP::respond 503 content [ifile get "/Common/maintenance"] 
    } 

}

Verify that your ifile is under the "Common" partition or replace "Common" by your partition name.

Regards

0
Comments on this Answer
Comment made 09-Jan-2018 by Jad Tabbara (JTI) 2361

Could you check if any error is logged in /var/log/ltm ?

0
Comment made 09-Jan-2018 by aboulleill 64

Dear JTI,

Ive created the provided irule on common partition and map it the VS. But unfortunately it is still not redirecting to maintenance page...and i'm getting default SSL error Secure Connection Failed...

Best Regards, Ralph El Habr

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Think you will need to create an LTM iFile object as well, the sys file ifile is used to import the file into iFile but reference for use is through ltm

The following on TMSH should create the iFile for reference within an iRule:

create ltm ifile maintenance file-name maintenance

Or on the Web GUI:

  1. On the Main tab, click Local Traffic > iRules > iFile List.
  2. Click Create.
  3. In the Name field, type a new name for the iFile, such as ifileURL.
  4. From the File Name list, select the name of the imported file object, such as 1k.html.
  5. Click Finished. The new iFile appears in the list of iFiles.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I'm still getting default browser SSL error below; its still not redirecting to customized ifile html page


Secure Connection Failed An error occurred during a connection to 192.168.110.115. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Learn more…

Report errors like this to help Mozilla identify and block malicious sites

It looks like your network security settings might be causing this. Do you want the default settings to be restored?

0
Comments on this Answer
Comment made 09-Jan-2018 by Andy McGrath 2250

Looks like getting SSL issue, likely not having a compatible cipher suite between the F5 configuration and the browser.

If you take the iRule off the Virtual Server does this work? If not i would get this working first with the desired cipher suite and SSL/TLS protocols.

With this is mind are you able to provide you SSL Profile configuration (excluding the cert and key info)?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello

Find below an optimise Irule:

when HTTP_REQUEST {
switch -glob [SSL::cipher version] {
"TLSv1.*" {
    HTTP::respond 503 content [ifile get maintenance] "Content-Type" "text/html"
}
default {
    # do nothing
}
}

I thing you juste forgot to reference your Ifile in LTM. Go to Local Traffic, Irules then "Ifile list" then create your Ifile reference with maintenance name...

Regards,

0
Comments on this Answer
Comment made 09-Jan-2018 by aboulleill 64

Hello,

"TLSv1.*" will block TLS 1.2 also ? if this is the case I dont think this will help knowing that I need to have only TLS1.2 activated.

as for ifile LTM reference its already done as per photos sent previously whithin the conversation.

Thanks you anyway.

0
Comment made 09-Jan-2018 by youssef 3588

In this case use this following Irule:

when HTTP_REQUEST {switch -glob [SSL::cipher version] {

"TLSv1" -
"TLSv1.1" {
    HTTP::respond 503 content [ifile get maintenance] "Content-Type" "text/html"
}
default {
    # do nothing
}
}
0
Comment made 09-Jan-2018 by aboulleill 64

also no effect im still getting default browser error :

Secure Connection Failed

An error occurred during a connection to 192.168.110.115. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Learn more…

Report errors like this to help Mozilla identify and block malicious sites

It looks like your network security settings might be causing this. Do you want the default settings to be restored?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

still not working :(

Image TextImage TextImage Text

0
Comments on this Answer
Comment made 09-Jan-2018 by youssef 3588

Hello,

Did you check the output logs? during your test... /var/log/ltm

You can add log in your irule: log local0. "cipher version: [SSL::cipher version]"

Regards,

0
Comment made 09-Jan-2018 by aboulleill 64

Dear Youssef,

yes this what the logs are showing and its normal but seems the irule is not working.

Jan 9 11:49:55 f5-IB-1 info tmm3[20682]: 01260013:6: SSL Handshake failed for TCP 172.16.37.16%10:6368 -> 192.168.110.115%10:443 Jan 9 11:50:00 f5-IB-1 warning tmm3[20682]: 01260009:4: Connection error: ssl_hs_rxhello:7443: unsupported version (70) Jan 9 11:50:00 f5-IB-1 info tmm3[20682]: 01260013:6: SSL Handshake failed for TCP 172.16.37.16%10:6396 -> 192.168.110.115%10:443 Jan 9 11:50:05 f5-IB-1 warning tmm1[20682]: 01260009:4: Connection error: ssl_hs_rxhello:7443: unsupported version (70) Jan 9 11:50:05 f5-IB-1 info tmm1[20682]: 01260013:6: SSL Handshake failed for TCP 172.16.37.16%10:6405 -> 192.168.110.115%10:443

0
Comment made 09-Jan-2018 by youssef 3588

Hi Aboulleill,

I think that your problem is not due to the Irule. You are blocked before Irule execution. It seems that your ssl handshake failed because you use an unsupported version (Protocol).

Can you confirm me that you don't set cert auth in you ssl client profil? What you set in "Ciphers" options in your client ssl profil?

And did you test access to your VS with another browser?

regars,

0
Comment made 09-Jan-2018 by aboulleill 64

Dear Youssef,

Its working now :) it was set inside ssl client profile : ECDHE:!TLSv1:!3DES:!TLSv1_1:!SHA:!NONE But after returining back default ciphers the redirection works prefectly.

Thank you very much for your support.

Best Regards,

0
Comment made 09-Jan-2018 by youssef 3588

Dear Aboulleill,

You're welcome!!!

Regards

0