Forum Discussion

Cirrus

Feb 24, 2016

Redirect if less than TLSv1.2

Hello all, so we now have enforced all connections to a VIP for all of our websites TLSv1.2 only. as a result, we get calls from users not able to access websites and then we check IE setti...

Cirrocumulus

Feb 24, 2016

MJ you can use the SSL::cipher command to get the version of TLS negotiated.

See:

https://devcentral.f5.com/wiki/iRules.SSL__cipher.ashx

Here is an irule in the codeshare to redirect on weak ciphers you can use:

https://devcentral.f5.com/codeshare?sid=656

From that here's a quick example (non-tested):

  when HTTP_REQUEST {
    log local0. "[IP::remote_addr]: SSL cipher version is [SSL::cipher version]"
    if { [SSL::cipher version] < "TLS1.2" }{
      HTTP::respond 302 Location "http://www.example.com/error/sslerr.html" Cache-Control No-Cache Pragma No-Cache Connection Close
    }
 }

Note you'd need to allow these ciphers in the client SSL profile so the client can negotiate the SSL transaction.

Hope this helps,

Forum Discussion

Redirect if less than TLSv1.2

Recent Discussions

Error while running ansible

URL

Portal Access to HTTPS resources slow

HOW TO HIRE A HACKER TO RECOVER STOLEN BITCOIN. CONTACT FASTFUND RECOVERY

Big-IP Next 20.2.0-2.375.1+0.0.43 iRule count problem

Related Content

Logging TLS traffic less than TLSv1.2

Anchor Link Redirect

url redirect

Restrict BIGIQ to TLSv1.2 Only

Open Redirection Mitigation