iRule not being processed fully
We are testing and trying to hammer out an iRule that will take traffic for a specific URL/host [host3.example.com] and have it go to a weaker SSL Profile than is currently being used by the Virtual Server. The iRule seems to be partially processed when we examine the logs.
iRule:
when HTTP_REQUEST {
if { [HTTP::host] equals "cdn.alpha.dev.insidesales.com" } {
log local0. "client [IP::client_addr]:[TCP::client_port] uri [HTTP::uri]"
SSL::session invalidate
set cmd "SSL::profile /Common/IS-Alpha_Weak"
eval $cmd
SSL::renegotiate
event disable all
}
}
This is to allow older browsers/OSs to establish a "secure" connection using TLSv1.0, SSLv2, or SSLv3. We are using Windows XP and IE8 to test and verify.
When testing the weaker OS and browser it fails to process the iRule and the log [/var/log/ltm] shows:
Oct 9 14:29:03 F5-VE info tmm2[15974]: 01260013:6: SSL Handshake failed for TCP x.x.x.x:1437 -> y.y.y.y:443 Oct 9 14:29:03 F5-VE info tmm1[15974]: 01260013:6: SSL Handshake failed for TCP x.x.x.x:1437 -> y.y.y.y:443
However, when testing with a current OS & browser the page is displayed, but the log shows:
Oct 9 14:30:07 F5-VE info tmm[15974]: Rule /Common/Weak_Security_Profile : client x.x.x.x:1447 uri /favicon.ico
Running Qualys scans against the host shows it is using the strict SSL Profile that is specified in the Virtual Server config rather than processing the iRule and directing traffic for the host through the weaker SSL Profile specified in the iRule.
We are testing this on our Dev F5 VE which is running 12.1.2.