Forum Discussion

aboulleill_3013's avatar
aboulleill_3013
Icon for Nimbostratus rankNimbostratus
Jan 09, 2018

redirect to ifile page if TLS 1 or 1.1 is used

Hello,

 

Kindly note that the following irule was applied on VS but its not working properly :

 

when HTTP_REQUEST { if { [SSL::cipher version] eq "TLSv1" } { HTTP::respond 503 content [ifile get maintenance] } }

 

As per the below ifile exists and verified on cli : As well on firefox im forning to use TLS v1

 

[root@f5-IB-1:Active:In Sync] config tmsh list sys file ifile sys file ifile maintenance { checksum SHA1:714:28de1ccd8407b517163fdcdc352ae847f46df53c create-time 2018-01-09:10:07:18 created-by admin last-update-time 2018-01-09:10:07:18 mode 33188 revision 1 size 714 updated-by admin

 

application delivery
iRules
LTM
security

11 Replies

Sort By
  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    Jan 09, 2018

    Hello Abouleil,

     

    Try the following code

     

    when HTTP_REQUEST { 
    if { [SSL::cipher version] eq "TLSv1" ||  [SSL::cipher version] eq "TLSv1.1"} { 
        HTTP::respond 503 content [ifile get "/Common/maintenance"] 
    } 

}

    Verify that your ifile is under the "Common" partition or replace "Common" by your partition name.

     

    Regards

     

  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Jan 09, 2018

    Think you will need to create an LTM iFile object as well, the sys file ifile is used to import the file into iFile but reference for use is through ltm

    The following on TMSH should create the iFile for reference within an iRule:

    create ltm ifile maintenance file-name maintenance

    Or on the Web GUI:

    1. On the Main tab, click Local Traffic > iRules > iFile List.
    2. Click Create.
    3. In the Name field, type a new name for the iFile, such as ifileURL.
    4. From the File Name list, select the name of the imported file object, such as 1k.html.
    5. Click Finished. The new iFile appears in the list of iFiles.
  • aboulleill_3013's avatar
    aboulleill_3013
    Icon for Nimbostratus rankNimbostratus
    Jan 09, 2018

    I'm still getting default browser SSL error below; its still not redirecting to customized ifile html page

     

    Secure Connection Failed An error occurred during a connection to 192.168.110.115. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

     

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

    Learn more…

     

    Report errors like this to help Mozilla identify and block malicious sites

     

    It looks like your network security settings might be causing this. Do you want the default settings to be restored?

     

    • Andy_McGrath's avatar
      Andy_McGrath
      Icon for Cumulonimbus rankCumulonimbus
      Jan 09, 2018

      Looks like getting SSL issue, likely not having a compatible cipher suite between the F5 configuration and the browser.

       

      If you take the iRule off the Virtual Server does this work? If not i would get this working first with the desired cipher suite and SSL/TLS protocols.

       

      With this is mind are you able to provide you SSL Profile configuration (excluding the cert and key info)?

       

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Jan 09, 2018

    Hello

    Find below an optimise Irule:

    when HTTP_REQUEST {
switch -glob [SSL::cipher version] {
"TLSv1.*" {
    HTTP::respond 503 content [ifile get maintenance] "Content-Type" "text/html"
}
default {
     do nothing
}
}

    I thing you juste forgot to reference your Ifile in LTM. Go to Local Traffic, Irules then "Ifile list" then create your Ifile reference with maintenance name...

    Regards,

    • youssef1's avatar
      youssef1
      Icon for Cumulonimbus rankCumulonimbus
      Jan 09, 2018

      Hello,

       

      Did you check the output logs? during your test... /var/log/ltm

       

      You can add log in your irule: log local0. "cipher version: [SSL::cipher version]"

       

      Regards,

       

    • aboulleill_3013's avatar
      aboulleill_3013
      Icon for Nimbostratus rankNimbostratus
      Jan 09, 2018

      Dear Youssef,

       

      yes this what the logs are showing and its normal but seems the irule is not working.

       

      Jan 9 11:49:55 f5-IB-1 info tmm3[20682]: 01260013:6: SSL Handshake failed for TCP 172.16.37.16%10:6368 -> 192.168.110.115%10:443 Jan 9 11:50:00 f5-IB-1 warning tmm3[20682]: 01260009:4: Connection error: ssl_hs_rxhello:7443: unsupported version (70) Jan 9 11:50:00 f5-IB-1 info tmm3[20682]: 01260013:6: SSL Handshake failed for TCP 172.16.37.16%10:6396 -> 192.168.110.115%10:443 Jan 9 11:50:05 f5-IB-1 warning tmm1[20682]: 01260009:4: Connection error: ssl_hs_rxhello:7443: unsupported version (70) Jan 9 11:50:05 f5-IB-1 info tmm1[20682]: 01260013:6: SSL Handshake failed for TCP 172.16.37.16%10:6405 -> 192.168.110.115%10:443

       

    • youssef1's avatar
      youssef1
      Icon for Cumulonimbus rankCumulonimbus
      Jan 09, 2018

      Hi Aboulleill,

       

      I think that your problem is not due to the Irule. You are blocked before Irule execution. It seems that your ssl handshake failed because you use an unsupported version (Protocol).

       

      Can you confirm me that you don't set cert auth in you ssl client profil? What you set in "Ciphers" options in your client ssl profil?

       

      And did you test access to your VS with another browser?

       

      regars,