Forum Discussion

soymanue's avatar
soymanue
Icon for Nimbostratus rankNimbostratus
Feb 12, 2016

Log SSL Cipher Version and User Agent Info

Hi
I need to log if there are connections using SSLv3 Cipher before disabling it.
I'm using this code:
when CLIENTSSL_HANDSHAKE {
    ISTATS::incr "ltm.virtual [virtual name] c [SSL::cipher version]" 1
}
if { ( [SSL::cipher version] contains "SSL" ) or ( [SSL::cipher name] contains "RC4" ) or ( [SSL::cipher bits] < 128 ) } then {
    set invalid_ssl 1
} else {
    set invalid_ssl 0
}  
}

That way I get the usage of the different Cipher versions but there isn't any information about OS or Browser.

That info is in [HTTP::header User-Agent] but can't be used inside CLIENTSSL_HANDSHAKE. It could be done in HTTP_REQUEST but it would be executed serveral times for the same session and the stats wouldn't be reliable How could I log the Cipher Version and User-Agent data just once for each session? Thanks

 

  • Hi Manuel,

    basically you can do two things...

    Example 1: If using additional HTTP_REQUEST iRules

    when CLIENTSSL_HANDSHAKE {
        if { ( [SSL::cipher version] contains "SSL" ) or 
             ( [SSL::cipher name] contains "DES" ) or 
             ( [SSL::cipher name] contains "RC4" ) or
             ( [SSL::cipher bits] < 128 ) } then {
            set invalid_ssl 1
        } else {
            set invalid_ssl 0
        }
    }
    when HTTP_REQUEST {
        if { $invalid_ssl } then {
            log local0.debug "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"
            HTTP::redirect http://www.domain.de/errorpage.html
            TCP::close
        }
    }
    

    Note: The above example would add a very little overhead for consecutive requests using the same TCP session.

    Example 2: If NOT using additional HTTP_REQUEST iRules

    when CLIENTSSL_HANDSHAKE {
        if { ( [SSL::cipher version] contains "SSL" ) or 
             ( [SSL::cipher name] contains "DES" ) or 
             ( [SSL::cipher name] contains "RC4" ) or
             ( [SSL::cipher bits] < 128 ) } then {
            set invalid_ssl 1
        } else {
            set invalid_ssl 0
        }
    }
    when HTTP_REQUEST {
        if { $invalid_ssl } then {
            log local0.debug "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"
            HTTP::redirect http://www.domain.de/errorpage.html
            TCP::close
        } else {
            event HTTP_REQUEST disable
        }
    }
    

    Note: The above example would disable further processing of

    HTTP_REQUEST
    events for the current TCP connection. So it wouldn't add additional overhead for consecutive requests using the same TCP session.

    Note: Integrate your ISTATS counters as needed... 😉

    Cheers, Kai

  • Hello

     

    Thanks for your answer. Unfortunately I can't redirect to an error page. The service must be available even if you connect with SSLv3 for a while, until we have the stats.

     

    So I need to log just once per connection:

     

    log local0.debug "SSLv3 cipher connection for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"

     

    And let the connection work.

     

    I have another event with HTTP_REQUEST to detect if the client uses client certificate authentication. Therefore, I can't disable HTTP_REQUEST event

     

    Regards

     

  • Ah okay... its just for logging. Then try this... 😉

    when CLIENTSSL_HANDSHAKE {
        if { ( [SSL::cipher version] contains "SSL" ) or 
             ( [SSL::cipher name] contains "DES" ) or 
             ( [SSL::cipher name] contains "RC4" ) or
             ( [SSL::cipher bits] < 128 ) } then {
            set invalid_ssl 1
        } else {
            set invalid_ssl 0
        }
    }
    when HTTP_REQUEST {
        if { $invalid_ssl } then {
            log local0.debug "Denied SSL Handshake for Client [IP::client_addr]:[TCP::client_port] using [SSL::cipher version], [SSL::cipher name] and [SSL::cipher bits] bits using the Agent [HTTP::header value "User-Agent"]"
            set invalid_ssl 0
        }
    }
    

    Note: The outlined iRule would now

    [log]
    (or possibly
    [ISTATS]
    ) just once per SSL connection.

    Cheers, Kai