Forum Discussion

Yozzer's avatar
Yozzer
Icon for Nimbostratus rankNimbostratus
Oct 31, 2014

SSLv3 cipher negotiation log

Is it possible to log in an irule if a browser tries to negotiate to a specific cipher?

 

I have the following irule but this doesn't tell me if a browser tried a disabled cipher before it negotiated an allowed one:

 

when HTTP_REQUEST {

 

Check if the client used an SSL cipher if {not ([catch {SSL::cipher version} result]) && [string tolower $result] ne "none"}{ set Name [SSL::cipher name] log local0. "Cipher Version is $result and Cipher Name is $Name" } }

 

any advice? cheers

 

7 Replies

  • Yozzer's avatar
    Yozzer
    Icon for Nimbostratus rankNimbostratus

    I would like to see if ciphers with cbc are being attempted. I didnt see anything specific for this in clientssl_clienthello.

     

    Thanks

     

  • there is request for enhancement which is implemented in the next version release.

     

    ID468803 RFE - iRule command to return SSL ciphersuites presented in Client Hello

     

    for now, if you want, you have to manually parse ssl message.

     

  • Yozzer's avatar
    Yozzer
    Icon for Nimbostratus rankNimbostratus

    Thanks, Which specific SSL commands should i use? I dont think the cipher suite is in the list of extensions.

     

    Cheers

     

    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      i understand it is going to be a new command (i.e. new parameter to existing command).
  • Yozzer's avatar
    Yozzer
    Icon for Nimbostratus rankNimbostratus

    Thanks, so i cant manually parse the ssl message until this command is included?

     

    Cheers

     

    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      you can manually parse ssl message without the command (i.e. collect tcp payload and parse it). the command would make it much easier.