CirrostratusHi,
is there a way to detect that the client does not support any of the clientssl ciphers? I would like to show a static page saying to upgrade their browser/OS. Thanks!
Regards
CirrocumulusMm... If the SSL negotiation fails, how is the client going to show the page to the user?
You'd have to let the SSL/TLS complete with a lower encryption and then redirect IF the encryption wasn't one of the allowed ones...
There used to be a fairly simple rule around on codeshare for this, but I just stumbled on a newer one from GavinW Friendly SSL Page which you change the encryption from required to request and then redirect if you don't get the 'required' encryptions...
MVPHi Niho,
you may use the iRule below as a startingpoint. It will analyse the used cipher settings of the underlying SSL connections and HTTP::redirect the client to an error page if the cipher settings doesn't meet the minimum requirements.
when CLIENTSSL_HANDSHAKE {
if { ( [SSL::cipher version] contains "SSL" ) or
( [SSL::cipher name] contains "DES" ) or
( [SSL::cipher name] contains "RC4" ) or
( [SSL::cipher bits] < 128 ) } then {
log local0. "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits]"
set invalid_ssl 1
} else {
set invalid_ssl 0
}
}
when HTTP_REQUEST {
if { $invalid_ssl } then {
HTTP::redirect http://www.domain.de/errorpage.html
}
}
Note: You have to enable unsecure cipher settings on you SSL profile to allow the usecure clients to establish a SSL/TLS channel using weak ciphers. Then use the iRule above to sort out the weak chiphers, encryption methods and unsecure key lenght as needed.
Cheers, Kai