Irule for restricting selected ips for NOT USING TLSV1 and 1.1
Hello All, I have requirement of use an iRules in F5 to enable TLS V1.0 and 1.1 only for Selected IP addresses or IP ranges. and enable only TLS 1.2 for all remaining . I have tried the irule below by creating data group list with Name"TLSV1.0_1.1_Disable" and 2 SSL profiles with tls disabled and enabled .but i see the error below, can some one please suggest me if there is any irule or procedure to follow for this requirement?
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] eq $TLSV1.0_1.1_Disable ]} {
SSL::profile SSLprofile1---------------> TLSv0and1 enabled
} else {
SSL::profile SSLprofile2_Disable------------->TLSv0and1 enabled.
}
}
Error i am seeing is below. where kaladhar_test is name of the irule
01070151:3: Rule [/Common/Kaladhar_test] error: /Common/Kaladhar_test:2: error: [Invalid IP address][TLSV1.0_1.1_Disable]
matchclass ...
Note: matchclass has been deprecated in v10 in favor of the new commands. The class command offers better functionality and performance than matchclass.
Inserting the appropriate class command into this iRule would look something like this:
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals TLSV1.0_1.1_Enable ]} { SSL::profile example_profile_enable_weak_TLS } else { SSL::profile example_profile_disable_weak_TLS } }