Configure SSL action to forward client traffic if a cipher is not supported on the ADC 编辑

September 14, 2021 Contributed by:  S

Configure SSL action to forward client traffic if a cipher is not supported on the ADC

Note: This feature is available in release 12.1 build 49.x and later.

In the client hello message, if you receive a cipher that is not supported on the ADC, you can configure an SSL action to forward the client traffic to a different virtual server. If you do not want SSL offload, configure this virtual server of type TCP or SSL_BRIDGE. There is no SSL offload on the ADC and that traffic is bypassed. For SSL offload, configure an SSL virtual server as the forward virtual server.

Perform the following steps:

  1. Add a load balancing virtual server of type SSL. Client traffic is received on this virtual server.
  2. Bind an SSL service to this virtual server.
  3. Add a load balancing virtual server of type TCP. Note: IP address or port number is not mandatory for the virtual server to which traffic is forwarded.
  4. Add a TCP service with port 443.
  5. Bind this service to the TCP virtual server created earlier.
  6. Add an SSL action specifying the TCP virtual server in the ‘forward’ parameter.
  7. Add an SSL policy specifying the preceding action if the specific cipher suite (identified by its hex code) is received in the client hello message.
  8. Bind this policy to the SSL virtual server.
  9. Save the configuration.


Configuration using the CLI

add service ssl-service 10.102.113.155 SSL 443add ssl certkey sv -cert complete/server/server_rsa_2048.pem -key complete/server/server_rsa_2048.kyadd ssl certkey cacert -cert complete/CA/root_rsa_1024.pem -key complete/CA/root_rsa_1024.kyadd lb vserver v1 SSL 10.102.57.186 443bind ssl vserver v1 -certkeyName svbind lb vserver v1 ssl-serviceadd lb vserver v2 TCPadd service tcp-service 10.102.113.150 TCP 443bind lb vserver v2 tcp-serviceadd ssl action act1 -forward v2add ssl policy pol2 -rule client.ssl.client_hello.ciphers.has_hexcode(0x002f) -action act1bind ssl vserver v1 -policyName pol2 -type CLIENTHELLO_REQ -priority 1<!--NeedCopy-->
sh ssl vserver v1    Advanced SSL configuration for VServer v1:    DH: DISABLED    DH Private-Key Exponent Size Limit: DISABLED    Ephemeral RSA: ENABLED  Refresh Count: 0    Session Reuse: ENABLED  Timeout: 120 seconds    Cipher Redirect: DISABLED    SSLv2 Redirect: DISABLED    ClearText Port: 0    Client Auth: DISABLED    SSL Redirect: DISABLED    Non FIPS Ciphers: DISABLED    SNI: ENABLED    OCSP Stapling: DISABLED    HSTS: DISABLED    HSTS IncludeSubDomains: NO    HSTS Max-Age: 0    SSLv2: DISABLED  SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED  TLSv1.3: DISABLED    Push Encryption Trigger: Always    Send Close-Notify: YES    Strict Sig-Digest Check: DISABLED    Zero RTT Early Data: DISABLED    DHE Key Exchange With PSK: NO    Tickets Per Authentication Context: 1    ECC Curve: P_256, P_384, P_224, P_5211)  CertKey Name: sv    Server Certificate    Data policy1)  Policy Name: pol2   Priority: 11)  Cipher Name: DEFAULT    Description: Default cipher list with encryption strength >= 128bit Donesh ssl policy pol2    Name: pol2    Rule: client.ssl.client_hello.ciphers.has_hexcode(0x002f)    Action: act1    UndefAction: Use Global    Hits: 0    Undef Hits: 0    Policy is bound to following entities1)  Bound to: CLIENTHELLO_REQ VSERVER v1    Priority: 1 Done<!--NeedCopy-->
sh ssl action act11)  Name: act1    Type: Data Insertion    Forward to: v2    Hits: 0    Undef Hits: 0    Action Reference Count: 1 Done<!--NeedCopy-->
sh ssl vserver v2    Advanced SSL configuration for VServer v2:    DH: DISABLED    DH Private-Key Exponent Size Limit: DISABLED    Ephemeral RSA: ENABLED  Refresh Count: 0    Session Reuse: ENABLED  Timeout: 120    seconds    Cipher Redirect: DISABLED    SSLv2 Redirect: DISABLED    ClearText Port: 0    Client Auth: DISABLED    SSL Redirect: DISABLED    Non FIPS Ciphers: DISABLED    SNI: DISABLED    OCSP Stapling: DISABLED    HSTS: DISABLED    HSTS IncludeSubDomains: NO    HSTS Max-Age: 0    SSLv2: DISABLED  SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED  TLSv1.3: DISABLED    Push Encryption Trigger: Always    Send Close-Notify: YES    Strict Sig-Digest Check: DISABLED    Zero RTT Early Data: DISABLED    DHE Key Exchange With PSK: NO    Tickets Per Authentication Context: 1    ECC Curve: P_256, P_384, P_224, P_5211)  CertKey Name: sv    Server Certificate1)  Cipher Name: DEFAULT    Description: Default cipher list with encryption strength >= 128bit<!--NeedCopy-->


Configuration using the GUI

Create a TCP virtual server:

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Create a TCP virtual server.
  3. Click in the Services and Service Groups section and add a TCP service or bind an existing service.
  4. Click Bind.
  5. Click Continue.

Create an SSL virtual server:

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Create another SSL virtual server.
  3. Click in the Services and Service Groups section and add a new SSL service or bind an existing service.
  4. Click Bind.
  5. Click Continue.
  6. Click in the Certificate section and bind a server certificate.
  7. Click Continue.
  8. In Advanced settings, click SSL Policies.
  9. Click in the SSL Policy section to add or select an existing policy.
  10. In Policy Binding, click Add and specify a name for the policy.
  11. In Action, click Add.
  12. Specify a name for the SSL action. In Forward Action Virtual Server, select the TCP virtual server created earlier.
  13. Click Create.
  14. Specify CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE(hex code of the unsupported cipher) in the expression.
  15. Click Done.
  16. In the policy, configure an expression to evaluate traffic for the unsupported cipher.
  17. Bind the action to the policy, and the policy to the SSL virtual server. Specify bind point CLIENTHELLO_REQ.
  18. Click Done.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:27 次

字数:7082

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文