Forum Discussion

Todd_Behrens_20's avatar
Todd_Behrens_20
Icon for Nimbostratus rankNimbostratus
Dec 08, 2016

iRule to Log TLSv1.0 Connections Only

Hi Everyone,

 

I am trying to identify all cleints that still use TLSv1.0 and what browser they use. I created the following iRule to log these connections.

 

when CLIENTSSL_HANDSHAKE {

 

if { ( [SSL::cipher version] contains "TLSv1") } then {

 

set invalid_ssl 1

 

} else {

 

set invalid_ssl 0

 

} }

 

when HTTP_REQUEST {

 

if { $invalid_ssl } then {

 

log local0. "TLSv1 Client: [IP::client_addr] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"

 

set invalid_ssl 0

 

} }

 

It works but it also includes TLSv1.2 connection. We have a lot of clients and most use 1.2 so i getting way too many logs. Is there a way i can modify this iRule log TLSv1.0 only?

 

thanks!

 

iRules
LTM
security

1 Reply

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 08, 2016

    Hi Todd,

    glad you've found a rule of mine in another thread... 😉

    To report just "TLSv1" session, simply change the 

    contains
    operator of the 
    [if]
    command to 
    equals
    ... 

    when CLIENTSSL_HANDSHAKE { 
    if { ( [SSL::cipher version] equals "TLSv1") } then { 
        set invalid_ssl 1 
    } else { 
        set invalid_ssl 0 
    } 
} 
when HTTP_REQUEST { 
    if { $invalid_ssl } then { 
        log local0. "TLSv1 Client: [IP::client_addr] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"
        set invalid_ssl 0 
    }
}

    Cheers, Kai