Hi Leonardo,
unfortunately your iRule works only by "accident" since your
[SSL::cipher version] <= "TLSv1"
expression performs a numerical lesser or equal comparsion on non-numeric values.
Basically you just check if the requested cipher version string has a lower order in the alphabet than "TLSv1" without checking if something is more secure than the other...
"TLSv1.2" <= "TLSv1" = Allow
"TLSv1.1" <= "TLSv1" = Allow
"TLSv1" <= "TLSv1" = Block
"SSL3" <= "TLSv1" = Block
"SSL2" <= "TLSv1" = Block
"A" <= "TLSv1" = Block
"Z" <= "TLSv1" = Allow
"a" <= "TLSv1" = Block
"z" <= "TLSv1" = Block
To compare text strings reliable you should only use
equals
,
eq
,
ne
,
starts_with
,
ends_with
and
contains
directives and use
==
,
!=
,
<=
and
>=
only for pure numeric comparsions.
when CLIENTSSL_HANDSHAKE {
if { ( [SSL::cipher version] ne "TLSv1.1" )
and ( [SSL::cipher version] ne "TLSv1.2" ) } then {
log local0. "Denegacion SSL Handshake para el Cliente [IP::client_addr]:[TCP::client_port] usando [SSL::cipher version], [SSL::cipher name] y [SSL::cipher bits]"
set invalid_ssl 1
} else {
set invalid_ssl 0
}
}
when HTTP_REQUEST {
if { $invalid_ssl } then {
HTTP::redirect "http://www.example.com/example"
TCP::close
event disable all
return
}
}
Cheers, Kai