Forum Discussion

LeonardoF5_1747's avatar
LeonardoF5_1747
Icon for Nimbostratus rankNimbostratus
Oct 10, 2017

Irule Check SSL Version and Redirect

Just to share my irule to check SSL Cypher or Bits on SSL Handshake, and redirect to another url.

This working on Firefox,Chrome and IE.

when CLIENTSSL_HANDSHAKE {
    if { ( [SSL::cipher version] <= "TLSv1" ) } {
        log local0. "Denegacion SSL Handshake para el Cliente [IP::client_addr]:[TCP::client_port] usando [SSL::cipher version], [SSL::cipher name] y [SSL::cipher bits]"
        set invalid_ssl 1
    } else {
        set invalid_ssl 0
    }
}
when HTTP_REQUEST {
    if { $invalid_ssl } then {
    HTTP::redirect "http://www.example.com/example"
    TCP::close
        event disable all
        return
            }
}

Regards.

  • Hi Leonardo,

    unfortunately your iRule works only by "accident" since your

    [SSL::cipher version] <= "TLSv1"
    expression performs a numerical lesser or equal comparsion on non-numeric values.

    Basically you just check if the requested cipher version string has a lower order in the alphabet than "TLSv1" without checking if something is more secure than the other...

    "TLSv1.2" <= "TLSv1" = Allow
    "TLSv1.1" <= "TLSv1" = Allow
    "TLSv1" <= "TLSv1" = Block
    "SSL3" <= "TLSv1" = Block
    "SSL2" <= "TLSv1" = Block
    "A" <= "TLSv1" = Block
    "Z" <= "TLSv1" = Allow
    "a" <= "TLSv1" = Block
    "z" <= "TLSv1" = Block
    

    To compare text strings reliable you should only use

    equals
    ,
    eq
    ,
    ne
    ,
    starts_with
    ,
    ends_with
    and
    contains
    directives and use
    ==
    ,
    !=
    ,
    <=
    and
    >=
    only for pure numeric comparsions.

    when CLIENTSSL_HANDSHAKE {
        if { ( [SSL::cipher version] ne "TLSv1.1" ) 
         and ( [SSL::cipher version] ne "TLSv1.2" ) } then {
            log local0. "Denegacion SSL Handshake para el Cliente [IP::client_addr]:[TCP::client_port] usando [SSL::cipher version], [SSL::cipher name] y [SSL::cipher bits]"
            set invalid_ssl 1
        } else {
            set invalid_ssl 0
        }
    }
    when HTTP_REQUEST {
        if { $invalid_ssl } then {
            HTTP::redirect "http://www.example.com/example"
            TCP::close
            event disable all
            return
        }
    }
    

    Cheers, Kai