Forum Discussion
mimlo_61970
Oct 21, 2014Cumulonimbus
The only way you are going to be able to send a message to the client is to allow SSL to complete the handshake with SSLv3 and then send the message. Without the SSL layer completed, HTTP events are not going to be applicable.
Based on this article https://devcentral.f5.com/wiki/iRules.RedirectOnWeakEncryption.ashx I worked up the following, which can probably be tightened up by making sure no backend resources are ever assigned and so on, but illistrates a basic example.
when HTTP_REQUEST {
if { [SSL::cipher version] eq "SSLv3" } {
HTTP::respond 302 Location "http://weakencryption"
}
}
Tested using openssl s_client
openssl s_client -connect 10.0.0.1:443 -ssl3
--- ssl handshake omitted ---
GET /
HTTP/1.0 302 Found
Location: http://weakencryption
Server: BigIP
Connection: close
Content-Length: 0
and with tls
openssl s_client -connect 10.0.0.1:443 -tls1
--- ssl handshake omitted ---
GET /
Hello World!
closed