best way to reject SSL Connections

Question

We use IPI and we drop the requests via iRule because we cannot use ASM at every VS.
today we reject the connect in then CLIENT_ACCEPTED but the result is a &nbsp;
SSL Handshake failed for TCP  xxx.xxx.xxx.xxx:nnn -&gt; xxx.xxx.xxx.xxx:nnn&nbsp;
in ltm log. do we have to accept that or is there a better way to reject connections like that?&nbsp;
let the connect go on until HTTP_REQUEST is not option because we have the same problem when we use a required Client Certificate where we check for example the UPN and we like to drop the connection if the UPN is invalid or missing.&nbsp;

kevin_stewart · Answer

I guess it depends on how you're doing the reject. If you're sending a reject in CLIENT_ACCEPTED based on the client IP address, you shouldn't be seeing SSL handshake errors. The best you can do though is to simply reject or drop the connection.

andy_mcgrath · Answer

You are getting SSL error as the CLIENT_ACCEPTED event is triggered once the TCP connection has been established so the client has likely already sent the SSL Client Hello before being rejected.&nbsp;
Personally if this is for security and public I would drop the connection instead of rejecting it. These will mean the client TCP connection will timeout.&nbsp;

Forum Discussion

best way to reject SSL Connections

2 Replies

Recent Discussions

Can iRule mask the payload content on event logs of security

Pricing when used with aws waf

F5 Rseries R2600 Tenant sizing

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Related Content

irule reject request when payload field is null

Securely connecting Kubernetes Microservices with F5 Distributed Cloud

Trouble redirecting on APM rejection.

Troubeshooting website connection

F5 Connection Mirroring question