Forum Discussion

dennypayne's avatar
dennypayne
Icon for Employee rankEmployee
Oct 21, 2008

Detecting TLS v1.1

Does anyone know what string (if anything) LTM 9.4.x will return for [SSL::cipher version] if the client is using TLS v1.1 (ie Opera)?

I'm trying to account for the possibility of a TLS v1.1 request coming into the following iRule and I haven't yet been able to actually create a v1.1 request to determine what the correct string might be...

Denny 

 
 when HTTP_REQUEST {  
  get encryption strength  
 set ver [SSL::cipher version]  
 set strength [SSL::cipher bits]  
  
  Is client SSLv3 or TLSv1 and at least 128 bit? 
 if { ($ver == "SSLv3") or ($ver == "TLSv1") } { 
 if { $strength < 128 } {  
 HTTP::redirect "http://www.domain.com/upgradebrowser.html" 
 } 
 } 
 else { 
 HTTP::redirect "http://www.domain.com/upgradebrowser.html" 
      
 } 
 }
application delivery
dev
devops
iRules

3 Replies

Sort By
  • Steve_Scott_873's avatar
    Steve_Scott_873
    Historic F5 Account
    Oct 22, 2008
    Why not just set no SSLv2 on your Client Profile? The error message isn't as friendly, but SSLv2 has serious security flaws and has been replaced with SSLv3 since 1996.

     

     

    Either that or turn it on its head and match $ver == "SSLv2", which is only one comparision and will therefore save you a few cpu cycles. Also standards will continue to evolve and TLS 1.2 was approved in august
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Oct 22, 2008
    And actually in my testing IE doesn't even get an error message, it just silently fails to connect to the site if forced to use SSL v2. So the customer feels the need to mitigate this with an error page with instructions.

     

     

    Denny
  • Steve_Scott_873's avatar
    Steve_Scott_873
    Historic F5 Account
    Oct 23, 2008
    Denny,

     

     

    You'll need to find a REALLY old browser that only supports SSLv2 to get any meaningful results. Any modern browser will avoid SSLv2 like the plague for obvious reasons (Glaring security holes).

     

     

    If you want to test with a modern browser, a tcpdump / SSLDump will probably give you a reasonable idea of how far its getting (Does it fail at key negociation or does it send a http request).

     

     

    Also, have you got Ciphers set to ALL on your SSL Profile? If its default, it might not have any compatible Ciphers availible, even though SSLv2 is not explicitly disabled.