Forum Discussion

Dave_013_164000's avatar
Dave_013_164000
Icon for Nimbostratus rankNimbostratus
Jan 14, 2015

Trying to use iRule/s to redirect SSLv3 and while allowing other IP using SSLv3

as part of the poodle migration I have used the following to redirect bad browsers

 

when HTTP_REQUEST { if { [SSL::cipher version] eq "SSLv3" } { HTTP::respond 302 Location "http://corp.com/browservalidator-SSLv3" } }

 

I also have a couple of VSs that need to be accessed by remote system accounts and I have used an iRule to allow these hosts

 

when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals "QC68347-SSLv3_allow_DGL"] } { SSL::profile QC68347-SSLv3-gateway.corp.com }

 

}

 

The default SSL client profile has SSLv3 turned off, but the QC68347-SSLv3-gateway.corp.com SSL Client Profile allows it and the QC68347-SSLv3_allow_DGL Data Group list contains the allowed IPs.

 

I now have the need to allow a single IP to access a resourse via SSLv3, but block all other SSLv3 traffic. I tried to use both of these iRules on the same VS. I had assumed that since the CLIENT_ACCEPTED event occurred first that the sessions from the allowed IPs would redirect to a SSL client profile and connect to the pool while non allowed SSLv3 sessions would fire on CLIENT_ACCEPTED and redirect. I have been unsuccessful at getting both iRules to work together. Is there an easier way of doing this?

 

2 Replies

  • Hi Dave, here is a tested iRule to permit SSLv3 for specified clients:

    priority 100
    when RULE_INIT {
         Enable/disable debugging
        set static::debug_rule_ssl_test 1
    }
    when CLIENTSSL_HANDSHAKE {
         Log client-ssl handshake parameters
        if { $static::debug_rule_ssl_test > 1 } {
            log local0. "client-ssl <[IP::client_addr]> > <[IP::local_addr]:[TCP::local_port]> (<[SSL::cipher name]>:<[SSL::cipher version]>:<[SSL::cipher bits]>)"
        }
        if {([SSL::cipher version] equals "SSLv3") && ! ([class match [IP::client_addr] equals datagroup_sslv3_client_whitelist ])} {
            if { $static::debug_rule_ssl_test > 0 } {
                log local0. "client-ssl <[IP::client_addr]> > <[IP::local_addr]:[TCP::local_port]> (<[SSL::cipher name]>:<[SSL::cipher version]>:<[SSL::cipher bits]>)"
            }
            drop
        }
    }
    

    Please make sure to have a datagroup (type "IP address") containing permitted client IP addresses or networks.

    Your client-ssl profile needs to allow SSLv3. Otherwise the condition will never tested. Please be aware, that with v11.5.1 later hotfixes the SSLv3 is disabled by default and has to be enabled via including it into the SSL ciper string settings.

    Thanks,

    Stephan
  • As mentioned above, it will be necessary to enable SSLv3 explicitely if you are running recently published hotfixes. You can check the result of modified SSL cipher strings by using a CLI untility as described below:

    tmm --clientcipher 'DEFAULT:SSLv3'
           ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
     0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
     1:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
     2:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
     3:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
     4:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
     5:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
     6:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
     7:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
     8:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
     9:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
    10:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
    11:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
    12:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
    13:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
    14:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
    15:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA
    16:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA
    17: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
    18: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
    19: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
    20: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
    21: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
    22: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
    23: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
    24: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
    25: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
    26: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
    27: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
    28:    57  DHE-RSA-AES256-SHA               256  SSL3    Native  AES     SHA     EDH/RSA
    29:    56  DHE-DSS-AES256-SHA               256  SSL3    Native  AES     SHA     DHE/DSS
    30:    22  DHE-RSA-DES-CBC3-SHA             192  SSL3    Native  DES     SHA     EDH/RSA
    31:    51  DHE-RSA-AES128-SHA               128  SSL3    Native  AES     SHA     EDH/RSA
    32:    50  DHE-DSS-AES128-SHA               128  SSL3    Native  AES     SHA     DHE/DSS
    33:    21  DHE-RSA-DES-CBC-SHA               64  SSL3    Native  DES     SHA     EDH/RSA
    34:     9  DES-CBC-SHA                       64  SSL3    Native  DES     SHA     RSA
    35:    53  AES256-SHA                       256  SSL3    Native  AES     SHA     RSA
    36:    47  AES128-SHA                       128  SSL3    Native  AES     SHA     RSA
    37:    10  DES-CBC3-SHA                     192  SSL3    Native  DES     SHA     RSA
    38:     5  RC4-SHA                          128  SSL3    Native  RC4     SHA     RSA
    39:     4  RC4-MD5                          128  SSL3    Native  RC4     MD5     RSA
    

    In the example above I added SSLv3 to the DEFAULT cipher alias and now these ciphers are available as well and show up with low prioprity at the end of the list.

    By adding additional parameters you can exclude i.e. unwanted RC4 ciphers by using the exclamation mark:

    tmm --clientcipher 'DEFAULT:SSLv3:!RC4'
    

    If you found a applicable cipher string it will be necessary to adjust this parameter in the relevant client-ssl profile associated with the virtual server to terminate incoming SSL traffic.

    Thanks