irule to choose clientside SSL profile for LDAP VIP

Question

Hi all&nbsp;
I have a VIP for our AD LDAP, while the majority of our clients can connect to TLS, some legacy apps still require SSLv3.&nbsp;
Has anyone created a iRule that detects a SSLv3 attempt and redirects the request to a different clientside SSL profile?&nbsp;
I have seen a few rules but nothing precise to what I would like to do.&nbsp;
Thanks&nbsp;
Chung&nbsp;

kunjan · Answer

I think not possible to switch dynamically based on SSL version. But should be able to switch the client SSL profile based on a pre-determined IP list on  CLIENT_ACCEPTED event.&nbsp;

chungyu_16122 · Answer

I was thinking of collecting the in coming IP address:&nbsp;
when CLIENTSSL_HANDSHAKE {
  if {[SSL::cipher version] eq "SSLv3"}{
  log local0. "[IP::client_addr] [SSL::cipher version]"
}
}&nbsp;
And then once I get a sufficient idea of the clients connecting to our AD service via SSLv3, I could do something like this:&nbsp;
when CLIENT_ACCEPTED {
    if { [class match $SITE equals SSLv3_Client]} {
        SSL::profile ADC_LDAP_SSL3
    } else {
        SSL::profile ADC_LDAP
    }
}&nbsp;

Forum Discussion

irule to choose clientside SSL profile for LDAP VIP

2 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Choosing an Instance for F5 BIG-IP in AWS

err tmm1[24399]: 011f0007:3: http_process_state_prepend - Invalid action:0x107041 clientside

Choose Your Operator Wisely

SSL Profiles

Server Profile SNI