This iRule would help you get an insight on what protocols or ciphers your clients are using. In case if you are planning to disable the TLSv1.0 and 1.1 in your F5 for any Virtual It is highly recommended that you enable this script for a week and capture the list of client IP address who are using the weak ciphers and deprecated protocols.
when CLIENTSSL_HANDSHAKE {
if { ( [SSL::cipher version] equals "TLSv1" ) }
{
log local0. "DETECTED-TLSv1.0-CONNECTION - LOG_SSL_LEVEL - Client: [IP::client_addr] successfully negotiates [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
}
elseif { ( [SSL::cipher version] equals "TLSv1.1" ) }
{
log local0. "DETECTED-TLSv1.1-CONNECTION - LOG_SSL_LEVEL - Client: [IP::client_addr] successfully negotiates [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
}
}
#F5 #F5LTM #iRUle #TLS #cipher #SSL #Handshake #Knowledgesharing Techno Learning Bytes
if { ( [SSL::cipher version] equals "TLSv1" ) }
{
log local0. "DETECTED-TLSv1.0-CONNECTION - LOG_SSL_LEVEL - Client: [IP::client_addr] successfully negotiates [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
}
elseif { ( [SSL::cipher version] equals "TLSv1.1" ) }
{
log local0. "DETECTED-TLSv1.1-CONNECTION - LOG_SSL_LEVEL - Client: [IP::client_addr] successfully negotiates [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
}
}
#F5 #F5LTM #iRUle #TLS #cipher #SSL #Handshake #Knowledgesharing Techno Learning Bytes
No comments:
Post a Comment