Forum Discussion
Try this on for size sfrjames
This will test if it is not TLS1.2, it will then serve a page from an iFile and set a cookie on the client, after a configurable amount of time (static::TLS1_2_Test_refresh) the page will refresh and deliver you to the originally requested content.
If you want to serve just simple text then replace the iFile content portion with whatever text you want, but this gives you the ability to load an entire page with formatting etc (if you're smart you can embed images directly into it as base64 encoded pngs)
The warning will only show up every 30 days by default (change static::TLS1_2_Test_Cookie_Validity to value in days) based on the cookie. If you don't put a mechanism like this into place, then every single request will get the warning page (though you can configure this by setting static::TLS1_2_Test_Block_Mode_On to 1).
(*N.B. This wasn't originally for TLS1.2 detection, it checked to see if they were using SSLv3 and sent them to a page telling them to upgrade their browser, but its the same principal, but I haven't checked it out to see if it 100% works for TLS1.2, but simply re-jigged it to check for not TLS1_2 instead of for SSLv3)
Name: TLS1_2_Test
Author: Matt Elkington
Contact: melkington@integrity360.com
Date:
Description:Test for TLS1_2 connections and then serve a page
Page will auto-refresh and then serve originally requested content
Can switch into block mode where it will always serve warning page
Change Log
Version Change Date
1.0 Initial iRule 07/12/15
1.1 Multiple Changes 16/02/16
when RULE_INIT {
set static variables
set debug mode (0=off, 1=minimal, 2=verbose, 3=overwhelming)
(change "iRule_Name" to name of actual iRule)
set static::TLS1_2_Test_Debug 3
cookie name
set static::TLS1_2_Test_Cookie_Name TLS1_2_Test_Cookie
cookie expiration period in days
set static::TLS1_2_Test_Cookie_Validity 30
Default HTTP content for when no other page is specified
set static::TLS1_2_Test_Ifile_default outdated_en
Page Refresh time in seconds
set static::TLS1_2_Test_refresh 30
Set this variable to 1 to simply serve the page every single time
set static::TLS1_2_Test_Block_Mode_On 0
Cookie Value (not user configurable)
set static::TLS1_2_Test_cookie_format [format "%s=%s; Max-Age=%s; path=/" $static::TLS1_2_Test_Cookie_Name $static::TLS1_2_Test_Cookie_Name [expr $static::TLS1_2_Test_Cookie_Validity * 86400] ]
}
when HTTP_REQUEST {
Check for TLS1_2
if { ([SSL::cipher version] ne "TLS1_2") } {
set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri] -"
Check to see if Block Mode is not enabled
if { $static::TLS1_2_Test_Block_Mode_On eq 0 } {
Check for existence of cookie and do not serve page if it exists
if { [HTTP::cookie exists $static::TLS1_2_Test_Cookie_Name] } {
if { $static::TLS1_2_Test_Debug > 2 } {
log local0. "$LogString not using TLS1_2 but cookie is already set"
}
return
}
}
Serve outdated warning page
HTTP::respond 200 content [ifile get $static::TLS1_2_Test_Ifile_default] "Set-Cookie" $static::TLS1_2_Test_cookie_format "Refresh" $static::TLS1_2_Test_refresh
if { $static::TLS1_2_Test_Debug > 0 } {
log local0. "$LogString using TLS1_2"
if { $static::TLS1_2_Test_Debug > 1 } {
log local0. "$LogString is [HTTP::header User-Agent]"
}
}
}
}