iRule to stop SSLv3 connections
The below iRule written by my team will stop all SSLv3 connections. If you are not using the SSL termination capabilities of your BIG-IP and instead are doing TCP load balancing, then the iRule will protect your servers from the POODLE attack.
If you are doing SSL termination at the BIG-IP, then follow the instructions in the previous article .
Please be sure to test this thoroughly in your production environment. Be sure to check any embedded devices or dedicated devices that might have older legacy software installed.
############################################## # Name: stop_ssl3 iRule # Description: This irule will reject any attempt to connnect using # an SSL3 or lower client. # VERSION: 3 - 16.oct.14 ############################################## when SERVER_CONNECTED { set Debug 1 set Collect_Len 3 TCP::collect $Collect_Len } when SERVER_DATA { set Buf_Len [TCP::offset] if { $Buf_Len < 3 } { incr Collect_Len -$Buf_Len TCP::collect $Collect_Len return } binary scan [TCP::payload] cS Rec_Type Version if { $Version <= 768 } { log local0. "stop_ssl3: Rejecting SSL3 or lower connection attempt from [IP::client_addr]" reject } else { TCP::release } }
Updated Mar 18, 2022
Version 2.0
11 Comments
ccna55_14039Nimbostratus
First off i want to say thanks for the irule, This is very close to what we were looking to be able to complete some of our testing. Question (By know means am i an irule expert or complaining) i am more just curious in your thoughts? Was there a reason why you chose not to use CLIENT_ACCEPTED and CLIENT_DATA? I know you can disable sslv3 via client ssl profile however in the case a profile is wildcarded *.domain.com and same profile used on many VIP's. If you have a scenario where as you only want to test a few VIPs at a time that use the same clientside wildcarded profile. It appears using this same irule above with a few minor modifications will work with SSL offloading and non SSL offloading clients, Thus using an irule per vip even if using the same ssl client profile will work to reject those connections. Problem i am trying to solve now is to somehow send something back to client to alert them why we rejected instead of just a plain tcp reject. i tried various options including TCP::respond to no avail. Here is my test irule based upon above for non-ssl and ssl offload connections. when CLIENT_ACCEPTED { set Collect_Len 3 TCP::collect $Collect_Len } when CLIENT_DATA { set Buf_Len [TCP::offset] if { $Buf_Len < 3 } { incr Collect_Len -$Buf_Len TCP::collect $Collect_Len return } binary scan [TCP::payload] cS Rec_Type Version if { $Version <= 768 } { log local0.notice "Rejecting SSLv3 or lower connection attempts from [IP::client_addr] to [IP::local_addr]" reject } else { TCP::release } } Thanks again, ccna55- ccna55_14039Sorry for the bad format, i was not able to review before submit. ccna55
kwkyiu_53019SERVER_DATA is used as client only propose the Max SSL/TLS version it will use. Server shall response with SSL/TLS version that is the negotiated version. So checking CLIENT_DATA will miss cases like client propose TLS 1.2 and server response with SSL 3.0- ccna55_14039In our case we didnt want the server nor client responding to sslv3. Thanks for the info. ccna55
- boktai1000_1750Hello ccna55, I would be very interesting in receiving your modified iRule (you mentioned with a few minor modifications that it will work with SSL offloading and non SSL offloading clients). We have SSL termination on almost every VIP on our F5 BIG-IP, and being able to turn SSLv3 on and off is very desirable for us. I have search devcentral for such a script, and maybe I haven't looked hard enough or overlooked something, but my research has led me here and I am wondering if you are willing to share this with the community. Thanks!
- ccna55_14039As requested here is the script i used. I give Jeff all the Credit for this, i just took his script and modified it for my own usage. I have tested this successfully on many vips as i mentioned with or without SSL offloading. Issue you will have is this is all happening at Layer4 thus no way (That i have found yet) to alert client to why you rejected or dropped them. Here is the modified script i used. Name: Block-SSLV3-and-Lower2-TCPLayer Description: This irule will reject any attempt to connnect using an SSL3 or lower client. This is at the TCP layer you cant send a html page back to user. This will work for types of connections ssl-offload and no ssl-offload. Just needs to use the TCP profile. when CLIENT_ACCEPTED { set Collect_Len 3 TCP::collect $Collect_Len } when CLIENT_DATA { set Buf_Len [TCP::offset] if { $Buf_Len < 3 } { incr Collect_Len -$Buf_Len TCP::collect $Collect_Len return } binary scan [TCP::payload] cS Rec_Type Version if { $Version <= 768 } { log local0.notice "Rejecting SSLv3 or lower connection attempts from [IP::client_addr] to [IP::local_addr]" reject } else { TCP::release } }
- ccna55_14039Sorry again for the format, i tried the 4 space/tab option to paste the code in the correct format. However as you can see it didn't work. If someone needs the code send me a message and i will send it to you. I am unsure how to paste the code in nice format. Sorry, ccna55
- boktai1000_1750Awesome, thanks ccna55! I am a bit worried about the formatting though, you could try pasting it on a website like pastebin (http://pastebin.com/) and posting a link here? I believe that will fix the formatting and make it a lot more readable to other viewers as well. Again, thanks so much for following up!
RobertColbertIf you want more control over what happens to the connection (i.e. redirect to another page) you could use something like this: when HTTP_REQUEST { set cipherSuite [SSL::cipher version] if { $cipherSuite equals "SSLv3" } { log local0. "SSL3 connection detected from [IP::client_addr] for [virtual name]" HTTP::redirect http://noSSLv3/page.html TCP::close } }- RobertColbertIf you want more control over what happens to the connection (i.e. redirect to another page) you could use something like this: [code] when HTTP_REQUEST { set cipherSuite [SSL::cipher version] if { $cipherSuite equals "SSLv3" } { log local0. "SSL3 connection detected from [IP::client_addr] for [virtual name]" HTTP::redirect http://noSSLv3/page.html TCP::close } } [/code]
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}