Irule for redirect to error page when the client request from weak ciphers

Question

Hi Team,&nbsp;
I have an irule which will redirect to error page when the client comes from weak ciphers after SSL Handshake completion.&nbsp;
Can Someone pls help me on what needs to be done with the below irule to intercept it sooner, the I-rule should check and redirect to error page during initial SSL Handshake from client to F5.&nbsp;
when HTTP_REQUEST
  { 
   log local0. "VIP connection request before if statement Client Source IP: [IP::client_addr]:[TCP::client_port] with [SSL::cipher name] and [SSL::cipher bits] "
   if { [SSL::cipher name] equals "RC4" &amp;&amp; [SSL::cipher name] equals "SSLV3" &amp;&amp; [SSL::cipher name] equals "3DES" } then {&nbsp;
          HTTP::redirect  } &nbsp;
}&nbsp;
Regards
Visvesh.&nbsp;

kai_wilke · Answer

Hi Visvesh,
this is unfortunately not possible. 
Browsers wouldn't speak HTTP before the SSL handshake is complete. Therefore you can't use [HTTP::redirect] in earlier stages to redirect to a friendly errorpage.
BTW: Are your sure that your outlined iRule is working? You're using a &amp;&amp; operator (aka. AND) to deny the different chipher suites, but the result can be always be just one of the values. An || operator (aka. OR) would make more sense. In this case only one of the listed weak-chiphers is needed to trigger the redirect...
Cheers, Kai

visvesh_138292 · Answer

Thanks a lot for your response Kai...&nbsp;
I haven't tested this I-rule yet...As you suggested I will use "||" instead of "&amp;&amp;".&nbsp;
Also is there any way to enable the log with this irule for the blocked ciphers.&nbsp;
Regards
Visvesh.&nbsp;

kai_wilke · Answer

Hi Visvesh,
you can use the iRule below as a startingpoint. 
It performs the chipher checks during CLIENTSSL_HANDSHAKE to speed up keep-alive sessions. And then just triggers the [HTTP::redirect] during HTTP_REQUEST to send the friendly error message...
when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] contains "SSL" ) or 
         ( [SSL::cipher name] contains "DES" ) or 
         ( [SSL::cipher name] contains "RC4" ) or
         ( [SSL::cipher bits] &lt; 128 ) } then {
        log local0. "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits]"
        set invalid_ssl 1
    } else {
        set invalid_ssl 0
    }
}
when HTTP_REQUEST {
    if { $invalid_ssl } then {
        HTTP::redirect http://www.domain.de/errorpage.html
    }
}

You may also take a look to Stephans chipher sheet if you need to tweak the contained chipher values.
https://devcentral.f5.com/questions/tmos-ssl-tls-cipher-cheat-sheetanswer131007
Cheers, Kai

visvesh_138292 · Answer

Hi Kai,
Thanks for providing the irule.&nbsp;
What is invalid_ssl 1 and invalid_ssl 0 in Set syntax?&nbsp;
Also I see in the redirection it's used invalid_ssl not "invalid_ssl 1 and 0".&nbsp;
set invalid_ssl 1
    } else {
        set invalid_ssl 0
    }&nbsp;
Regards
Visvesh. &nbsp;

kai_wilke · Answer

Hi Visvesh,
the set invalid_ssl 1 is a variable to store the result of the check. The name of the variable is free text and can be changed to whatever you want.
A if { $invalid_ssl } then { ... } is a little faster than if { $invalid_ssl == 1 } then { ... } but is performing the same. It will both trigger the contained [HTTP::redirect] action as long $invalid_ssl is set to 1.
Cheers, Kai

Forum Discussion

Irule for redirect to error page when the client request from weak ciphers

7 Replies

Recent Discussions

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

Cipher Suites Supported (12.1.5.3)

Disabling Weak Ciphers

Cipher suite mismatch advertisement/warning

Redirect all request except few path

Distributed caching of authentication requests with NGINX Ingress Controller