SSL redirect iRule

Question

Afternoon, 
&nbsp;  
&nbsp; We have a Big-IP ASM appliance (v9.4.4) in front of our Corporate internet site. We need to restrict customers from connecting with less than 128 bit encryption and hope to redirect to an informational page outlining how to upgrade their browser, for example. 
&nbsp;  
&nbsp; If I add the iRule as per the "Devcentral Wiki: Redirect on Weak Encryption" when I access the https page I get redirected to the URL mentioned in the iRule (which I've changed accordingly). So this works fine. 
&nbsp;  
&nbsp; However, if on the SSL Client profile I then change the Ciphers to DEFAULT:!ADH:!EXPORT40:!EXP:!LOW to block non 128 bit connections then I get "page cannot be displayed" rather than the redirected URL. 
&nbsp;  
&nbsp; Can both the iRule and the custom Cipher work in tandem? 
&nbsp;  
&nbsp; Thanks in advance. 
&nbsp; Nathan

hooleylist · Answer

Hi Nathan, 
&nbsp;  
&nbsp; With the client SSL profile set to not allow the 128bit cipher, LTM will send a reset to a client who attempts to use a 128 bit cipher.  This will happen regardless of whether the iRule is enabled or not.   
&nbsp;  
&nbsp; The iRule is a better option as it tells the client that there is a problem and how to fix it.  The only downside to the iRule option is that vulnerability scans will show a false positive for weak ciphers.  It's safe to ignore this as no client with a weak cipher will be able to get past LTM. 
&nbsp;  
&nbsp; Aaron

nathe · Answer

Thanks Aaron, 
&nbsp;  
&nbsp; You're spot on with the reasonings behind why we are doing this - an external vulnerability test highglighted the issue. I was at first only intending to add a custom cipher to the ssl profile, it was only later did I find the iRule to redirect. 
&nbsp;  
&nbsp; I am leaning towards remediating the vulnerability threat but that does mean we lose the redirect. Can you think of any other way we could do this via F5? 
&nbsp;  
&nbsp; Thanks in advance, 
&nbsp;  
&nbsp; Nathan &nbsp;

hooleylist · Answer

Hi Nathan, 
&nbsp;  
&nbsp; In order to send the redirect, you have to allow the weak cipher in the client SSL profile.  It's not actually a vulnerability though as you're not allowing a client with a weak cipher to connect to anything beyond the LTM.  It will still show up as an issue in a pen test, but it's not a true problem. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

SSL redirect iRule

3 Replies

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

iRule assistance for subfolder redirect

Redirection with datagroup and irule

iRule redirect based on hostname

iRule HTTPS to HTTPS redirection

SSL Proxy