Forum Discussion
nathe
Feb 24, 2016Cirrocumulus
MJ you can use the SSL::cipher command to get the version of TLS negotiated.
See:
https://devcentral.f5.com/wiki/iRules.SSL__cipher.ashx
Here is an irule in the codeshare to redirect on weak ciphers you can use:
https://devcentral.f5.com/codeshare?sid=656
From that here's a quick example (non-tested):
when HTTP_REQUEST {
log local0. "[IP::remote_addr]: SSL cipher version is [SSL::cipher version]"
if { [SSL::cipher version] < "TLS1.2" }{
HTTP::respond 302 Location "http://www.example.com/error/sslerr.html" Cache-Control No-Cache Pragma No-Cache Connection Close
}
}
Note you'd need to allow these ciphers in the client SSL profile so the client can negotiate the SSL transaction.
Hope this helps,
N