Forum Discussion
Hello N.,
You can do it differently.
I suggest you to use the following irule. To summarize what it will do :
1) First it will desactivate the SSL processing for all clients connections and collect the first 3 bytes of the TCP payload in the CLIENT_ACCEPTED event
2) Then from the "CLIENT_DATA" event, it will looks into the first 3 bytes retrieved if it detects an SSL Client Hello Handshake packet from version TLSv1.0 to TLSv1.2 it will enables SSL for these connections. If clients are connecting using old vulnerable SSL version 2.0 or 3.0 it will drop requests (depending on you security policy you may change that). And finally, if coming with something else it will disable SSL processing.
So you can apply this irule and it try it.
when CLIENT_ACCEPTED {
Disable SSL processing
SSL::disable
Collect first three bytes of the payload
TCP::collect 3
}
when CLIENT_DATA {
if { [TCP::payload length] >= 3 } {
binary scan [TCP::payload 3] H* hex
log local0. "Payload in HEX: $hex"
switch $hex {
"160301" -
"160302" -
"160303" {
160301 corresponds to CLIENT HELLO SSL Handshake for version TLSv1.0
160302 corresponds to CLIENT HELLO SSL Handshake for version TLSv1.1
160303 corresponds to CLIENT HELLO SSL Handshake for version TLSv1.2
SSL::enable
}
"802201" -
"160300" {
802201 corresponds to CLIENT HELLO SSL Handshake for version SSL 2.0
160300 corresponds to CLIENT HELLO SSL Handshake for version SSL 3.0
log local0. "[IP::client_addr] connecting with SSL 2.0 or SSL 3.0 unauthorized"
drop
}
default {
SSL::disable
}
}
}
TCP::release
}
Please give us a feedback as soon as you try it.
Regards