Configure SSL action to forward client traffic if a cipher is not supported on the ADC 编辑
September 14, 2021 Contributed by: S
Configure SSL action to forward client traffic if a cipher is not supported on the ADC
Note: This feature is available in release 12.1 build 49.x and later.
In the client hello message, if you receive a cipher that is not supported on the ADC, you can configure an SSL action to forward the client traffic to a different virtual server. If you do not want SSL offload, configure this virtual server of type TCP or SSL_BRIDGE. There is no SSL offload on the ADC and that traffic is bypassed. For SSL offload, configure an SSL virtual server as the forward virtual server.
Perform the following steps:
- Add a load balancing virtual server of type SSL. Client traffic is received on this virtual server.
- Bind an SSL service to this virtual server.
- Add a load balancing virtual server of type TCP. Note: IP address or port number is not mandatory for the virtual server to which traffic is forwarded.
- Add a TCP service with port 443.
- Bind this service to the TCP virtual server created earlier.
- Add an SSL action specifying the TCP virtual server in the ‘forward’ parameter.
- Add an SSL policy specifying the preceding action if the specific cipher suite (identified by its hex code) is received in the client hello message.
- Bind this policy to the SSL virtual server.
- Save the configuration.
Configuration using the CLI
add service ssl-service 10.102.113.155 SSL 443add ssl certkey sv -cert complete/server/server_rsa_2048.pem -key complete/server/server_rsa_2048.kyadd ssl certkey cacert -cert complete/CA/root_rsa_1024.pem -key complete/CA/root_rsa_1024.kyadd lb vserver v1 SSL 10.102.57.186 443bind ssl vserver v1 -certkeyName svbind lb vserver v1 ssl-serviceadd lb vserver v2 TCPadd service tcp-service 10.102.113.150 TCP 443bind lb vserver v2 tcp-serviceadd ssl action act1 -forward v2add ssl policy pol2 -rule client.ssl.client_hello.ciphers.has_hexcode(0x002f) -action act1bind ssl vserver v1 -policyName pol2 -type CLIENTHELLO_REQ -priority 1<!--NeedCopy-->
sh ssl vserver v1 Advanced SSL configuration for VServer v1: DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: ENABLED OCSP Stapling: DISABLED HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED Push Encryption Trigger: Always Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Zero RTT Early Data: DISABLED DHE Key Exchange With PSK: NO Tickets Per Authentication Context: 1 ECC Curve: P_256, P_384, P_224, P_5211) CertKey Name: sv Server Certificate Data policy1) Policy Name: pol2 Priority: 11) Cipher Name: DEFAULT Description: Default cipher list with encryption strength >= 128bit Donesh ssl policy pol2 Name: pol2 Rule: client.ssl.client_hello.ciphers.has_hexcode(0x002f) Action: act1 UndefAction: Use Global Hits: 0 Undef Hits: 0 Policy is bound to following entities1) Bound to: CLIENTHELLO_REQ VSERVER v1 Priority: 1 Done<!--NeedCopy-->
sh ssl action act11) Name: act1 Type: Data Insertion Forward to: v2 Hits: 0 Undef Hits: 0 Action Reference Count: 1 Done<!--NeedCopy-->
sh ssl vserver v2 Advanced SSL configuration for VServer v2: DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: DISABLED OCSP Stapling: DISABLED HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED Push Encryption Trigger: Always Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Zero RTT Early Data: DISABLED DHE Key Exchange With PSK: NO Tickets Per Authentication Context: 1 ECC Curve: P_256, P_384, P_224, P_5211) CertKey Name: sv Server Certificate1) Cipher Name: DEFAULT Description: Default cipher list with encryption strength >= 128bit<!--NeedCopy-->
Configuration using the GUI
Create a TCP virtual server:
- Navigate to Traffic Management > Load Balancing > Virtual Servers.
- Create a TCP virtual server.
- Click in the Services and Service Groups section and add a TCP service or bind an existing service.
- Click Bind.
- Click Continue.
Create an SSL virtual server:
- Navigate to Traffic Management > Load Balancing > Virtual Servers.
- Create another SSL virtual server.
- Click in the Services and Service Groups section and add a new SSL service or bind an existing service.
- Click Bind.
- Click Continue.
- Click in the Certificate section and bind a server certificate.
- Click Continue.
- In Advanced settings, click SSL Policies.
- Click in the SSL Policy section to add or select an existing policy.
- In Policy Binding, click Add and specify a name for the policy.
- In Action, click Add.
- Specify a name for the SSL action. In Forward Action Virtual Server, select the TCP virtual server created earlier.
- Click Create.
- Specify CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE(hex code of the unsupported cipher) in the expression.
- Click Done.
- In the policy, configure an expression to evaluate traffic for the unsupported cipher.
- Bind the action to the policy, and the policy to the SSL virtual server. Specify bind point CLIENTHELLO_REQ.
- Click Done.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论