ltm rule command SSL cipher
iRule(1) BIG-IP TMSH Manual iRule(1)
SSL::cipher
Returns SSL cipher information.
SYNOPSIS
SSL::cipher (bits | name | version |
(clientlist (-codes)?))
DESCRIPTION
Returns an SSL cipher name, its version, and the number of secret bits used.
RETURN VALUE
SSL::cipher name
Returns the current SSL cipher name using the format of the OpenSSL SSL_CIPHER_get_name() function
(e.g. "EDH-RSA-DES-CBC3-SHA" or "RC4-MD5").
SSL::cipher version
Returns the current SSL cipher version using the format of the OpenSSL SSL_CIPHER_get_version() function
(e.g. "SSLv2", "SSLv3", "TLSv1", "TLSv1.1",
"TLSv1.2").
SSL::cipher bits
Returns the number of secret bits that the current SSL cipher used, using the format of the OpenSSL
SSL_CIPHER_get_bits() function (e.g. 256, 128 or
40).
VALID DURING
EXAMPLES
when HTTP_REQUEST {
# Check encryption strength
if { [SSL::cipher bits] >= 128 } {
pool web_servers
} else {
# Client is using a weak cipher
# Use one of the destination commands
# Either specify a pool
pool sorry_servers
# or to a specific node
node 10.10.10.10
# or send a 302 response to redirect to a specific URL
# Set cache control headers to prevent proxies from caching the response.
HTTP::respond 302 Location "http://some_address/sorry.html" Cache-Control No-Cache Pragma No-Cache
}
}
HINTS
SEE ALSO
Sample Code:
Cipher Strength Pool Selection -
Select a pool based on the client's encryption level.
Custom Apache-style logging for Java-based applications
- I had a
requirement to have the F5 BigIP produce logs which replicated our ...
Redirect Non-SSL Requests on SSL Virtual Server Rule
- This iRule sends an
HTTP redirect to clients who make an HTTP request to an HTTPS virtual server
Redirect On Weak Encryption - This
rule illustrates how to redirect a client to an un-encrypted page with an informational error if the client
does not have at least 128 bits of encryption.
CHANGE LOG
@BIGIP-9.0.0 --First introduced the command.
BIG-IP 2020-06-23 iRule(1)