TLS/1.0, PCI, and a custom message for HTTP response status codes
By June 30, 2018 we would like to turn off TLS/1.0 on all our HTTPS websites, in order to be compliant with PCI requirements.
Instead of just turning TLS/1.0 off, we would like to use that time between now and June 30, 2018 to seamlessly phase the TLS/1.0 out.
To do so, our F5 still supports all TLS protocols (TLS/1.0, TLS/1.1, and TLS/1.2), but only the clients supporting TLS/1.1 and above get the actual website content. Everyone else (clients supporting TLS/1.0 only) gets a custom error page informing them about the browser upgrade requirement.
To achieve that, I'm using the HTTP status code "426 Upgrade Required". Please see:
The expected result is:
HTTP/1.1 426 Upgrade Required
Upgrade: TLS/1.1, HTTP/1.1
Connection: Upgrade
... Human-readable HTML page describing why the upgrade is required
and what to do if this text is seen ...
Unfortunately, F5 gives me the following result:
HTTP/1.1 426 Unknown Code
Upgrade: TLS/1.1, HTTP/1.1
Connection: close
... Human-readable HTML page describing why the upgrade is required
and what to do if this text is seen ...
My iRule looks like this:
Detect TLSv1.0 protocol and send HTTP 426
when HTTP_REQUEST priority 150 {
if { [SSL::cipher version] equals "TLSv1" } {
log local0. "TLS/1.0 connection detected from [IP::client_addr] for [HTTP::host]"
HTTP::respond 426 -version auto content $static::obsolete_browser_page noserver "Upgrade" "TLS/1.1, HTTP/1.1" "Content-Type" "text/html" "Cache-Control" "no-cache" "Retry-After" "60" "Connection" "Close"
event disable
return
}
}
If I use "Connection" "Upgrade" in the HTTP::respond code, as defined in the aforementioned RFC2817, F5 replaces it with Connection: Keep-Alive in the actual response which is being sent back to the client.
My questions are:
Question 1: is there a way in F5 to replace the message in HTTP response, so that it says:
HTTP/1.1 426 Upgrade Required
instead of
HTTP/1.1 426 Unknown Code
Question 2: is there a way to force F5 to send HTTP header that says:
Connection: Upgrade
instead of
Connection: close
or
Connection: Keep-Alive