Log SSL Cipher Version and User Agent Info

Question

Hi
I need to log if there are connections using SSLv3 Cipher before disabling it.
I'm using this code:
when CLIENTSSL_HANDSHAKE {
    ISTATS::incr "ltm.virtual [virtual name] c [SSL::cipher version]" 1
}
if { ( [SSL::cipher version] contains "SSL" ) or ( [SSL::cipher name] contains "RC4" ) or ( [SSL::cipher bits] &lt; 128 ) } then {
    set invalid_ssl 1
} else {
    set invalid_ssl 0
}  
}

That way I get the usage of the different Cipher versions but there isn't any information about OS or Browser.That info is in [HTTP::header User-Agent] but can't be used inside CLIENTSSL_HANDSHAKE. It could be done in HTTP_REQUEST but it would be executed serveral times for the same session and the stats wouldn't be reliable How could I log the Cipher Version and User-Agent data just once for each session? Thanks&nbsp;

kai_wilke · Answer

Hi Manuel,
basically you can do two things...
Example 1: If using additional HTTP_REQUEST iRules
when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] contains "SSL" ) or 
         ( [SSL::cipher name] contains "DES" ) or 
         ( [SSL::cipher name] contains "RC4" ) or
         ( [SSL::cipher bits] &lt; 128 ) } then {
        set invalid_ssl 1
    } else {
        set invalid_ssl 0
    }
}
when HTTP_REQUEST {
    if { $invalid_ssl } then {
        log local0.debug "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"
        HTTP::redirect http://www.domain.de/errorpage.html
        TCP::close
    }
}

Note: The above example would add a very little overhead for consecutive requests using the same TCP session.
Example 2: If NOT using additional HTTP_REQUEST iRules
when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] contains "SSL" ) or 
         ( [SSL::cipher name] contains "DES" ) or 
         ( [SSL::cipher name] contains "RC4" ) or
         ( [SSL::cipher bits] &lt; 128 ) } then {
        set invalid_ssl 1
    } else {
        set invalid_ssl 0
    }
}
when HTTP_REQUEST {
    if { $invalid_ssl } then {
        log local0.debug "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"
        HTTP::redirect http://www.domain.de/errorpage.html
        TCP::close
    } else {
        event HTTP_REQUEST disable
    }
}

Note: The above example would disable further processing of HTTP_REQUEST events for the current TCP connection. So it wouldn't add additional overhead for consecutive requests using the same TCP session.
Note: Integrate your ISTATS counters as needed... 😉
Cheers, Kai

soymanue · Answer

Hello&nbsp;
Thanks for your answer. Unfortunately I can't redirect to an error page. The service must be available even if you connect with SSLv3 for a while, until we have the stats.&nbsp;
So I need to log just once per connection:&nbsp;
log local0.debug "SSLv3 cipher connection for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"&nbsp;
And let the connection work.&nbsp;
I have another event with HTTP_REQUEST to detect if the client uses client certificate authentication. Therefore, I can't disable HTTP_REQUEST event&nbsp;
Regards&nbsp;

kai_wilke · Answer

Ah okay... its just for logging. Then try this... 😉
when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] contains "SSL" ) or 
         ( [SSL::cipher name] contains "DES" ) or 
         ( [SSL::cipher name] contains "RC4" ) or
         ( [SSL::cipher bits] &lt; 128 ) } then {
        set invalid_ssl 1
    } else {
        set invalid_ssl 0
    }
}
when HTTP_REQUEST {
    if { $invalid_ssl } then {
        log local0.debug "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"
        set invalid_ssl 0
    }
}

Note: The outlined iRule would now [log] (or possibly [ISTATS]) just once per SSL connection.
Cheers, Kai

Forum Discussion

Log SSL Cipher Version and User Agent Info

3 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Cipher Suites Supported (12.1.5.3)

TMOS script for updating SSL profile cipher group and TLS versions

BIG-IP Orchestrate in private Data Center using Terraform Cloud Agent

LTM Cipher rule

Cipher Suite Practices and Pitfalls