Forum Discussion
Kai_Wilke
Aug 26, 2016MVP
Hi Niho,
you may use the iRule below as a startingpoint. It will analyse the used cipher settings of the underlying SSL connections and HTTP::redirect the client to an error page if the cipher settings doesn't meet the minimum requirements.
when CLIENTSSL_HANDSHAKE {
if { ( [SSL::cipher version] contains "SSL" ) or
( [SSL::cipher name] contains "DES" ) or
( [SSL::cipher name] contains "RC4" ) or
( [SSL::cipher bits] < 128 ) } then {
log local0. "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits]"
set invalid_ssl 1
} else {
set invalid_ssl 0
}
}
when HTTP_REQUEST {
if { $invalid_ssl } then {
HTTP::redirect http://www.domain.de/errorpage.html
}
}
Note: You have to enable unsecure cipher settings on you SSL profile to allow the usecure clients to establish a SSL/TLS channel using weak ciphers. Then use the iRule above to sort out the weak chiphers, encryption methods and unsecure key lenght as needed.
Cheers, Kai