Forum Discussion

Almassud_221797's avatar
Almassud_221797
Icon for Cirrus rankCirrus
Feb 24, 2016

Redirect if less than TLSv1.2

Hello all,

 

so we now have enforced all connections to a VIP for all of our websites TLSv1.2 only.

 

as a result, we get calls from users not able to access websites and then we check IE settings and find that support for TLSv1.2 is disabled. all work after we enable it.

 

so I am thinking if we can have an iRule that we attach to this VIP that checks to see if the client is trying to establish the connection on any TLS older than 1.2, and if so redirect them to a page on a web server that allows for just about all connection and would give them all the details about what's happening and how they can fix it.

 

the key is here is the iRule, which I don't have and don't seem to find one in devcentral so far.

 

any help with this is very appreciated.

 

Thanks MJ

 

iRules
LTM
security

2 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Feb 24, 2016

    MJ you can use the SSL::cipher command to get the version of TLS negotiated.

    See:

    https://devcentral.f5.com/wiki/iRules.SSL__cipher.ashx

    Here is an irule in the codeshare to redirect on weak ciphers you can use:

    https://devcentral.f5.com/codeshare?sid=656

    From that here's a quick example (non-tested):

      when HTTP_REQUEST {
    log local0. "[IP::remote_addr]: SSL cipher version is [SSL::cipher version]"
    if { [SSL::cipher version] < "TLS1.2" }{
      HTTP::respond 302 Location "http://www.example.com/error/sslerr.html" Cache-Control No-Cache Pragma No-Cache Connection Close
    }
 }

    Note you'd need to allow these ciphers in the client SSL profile so the client can negotiate the SSL transaction.

    Hope this helps,

    N

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 25, 2016

    Hi Almassud,

    this snipped should work and provides some compliance check results to the errorpage...

    when CLIENTSSL_HANDSHAKE {
    if { [SSL::cipher version] equals "TLSv1.2" } then {
        set deny_reason ""
    } else {
        set deny_reason [URI::encode [b64encode "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits]"]]
    }
}
when HTTP_REQUEST {
    if { $deny_reason ne "" } then {
        HTTP::redirect "http://www.domain.de/errorpage.html?reason=$deny_reason
        TCP::close
        event disable all
        return
    }
}

    Note: Keep in mind that you have to allow the legacy SSL/TLS version in your Clientside SSL Profile. The security check is then performed in the outlined iRule.

    Cheers, Kai