iRule to stop SSLv3 connections

The below iRule written by my team will stop all SSLv3 connections. If you are not using the SSL termination capabilities of your BIG-IP and instead are doing TCP load balancing, then the iRule will protect your servers from the POODLE attack.
If you are doing SSL termination at the BIG-IP, then follow the instructions in the previous article .

Please be sure to test this thoroughly in your production environment. Be sure to check any embedded devices or dedicated devices that might have older legacy software installed.

##############################################
# Name: stop_ssl3 iRule
# Description: This irule will reject any attempt to connnect using
# an SSL3 or lower client.
# VERSION: 3 - 16.oct.14
##############################################
 
when SERVER_CONNECTED {
  set Debug 1
  set Collect_Len 3
  TCP::collect $Collect_Len
}
 
when SERVER_DATA {
  set Buf_Len [TCP::offset]
  if { $Buf_Len < 3 } {
    incr Collect_Len -$Buf_Len
    TCP::collect $Collect_Len
    return
  }
  binary scan [TCP::payload] cS Rec_Type Version
  if { $Version <= 768 } {
    log local0. "stop_ssl3: Rejecting SSL3 or lower connection attempt from [IP::client_addr]"
    reject
  } else {
    TCP::release
  }
}

 

Updated Mar 18, 2022
Version 2.0

Was this article helpful?

11 Comments