Configure SSL action to forward client traffic if a cipher is not supported on the ADC
Note: This feature is available in release 12.1 build 49.x and later.
In the client hello message, if you receive a cipher that is not supported on the ADC, you can configure an SSL action to forward the client traffic to a different virtual server. If you do not want SSL offload, configure this virtual server of type TCP or SSL_BRIDGE. There is no SSL offload on the ADC and that traffic is bypassed. For SSL offload, configure an SSL virtual server as the forward virtual server.
Perform the following steps:
- Add a load balancing virtual server of type SSL. Client traffic is received on this virtual server.
- Bind an SSL service to this virtual server.
- Add a load balancing virtual server of type TCP. Note: IP address or port number is not mandatory for the virtual server to which traffic is forwarded.
- Add a TCP service with port 443.
- Bind this service to the TCP virtual server created earlier.
- Add an SSL action specifying the TCP virtual server in the ‘forward’ parameter.
- Add an SSL policy specifying the above action if the specific cipher suite (identified by its hex code) is received in the client hello message.
- Bind this policy to the SSL virtual server.
- Save the configuration.
Configuration using the CLI
add service ssl-service 10.102.113.155 SSL 443
add ssl certkey sv -cert complete/server/server_rsa_2048.pem -key complete/server/server_rsa_2048.ky
add ssl certkey cacert -cert complete/CA/root_rsa_1024.pem -key complete/CA/root_rsa_1024.ky
add lb vserver v1 SSL 10.102.57.186 443
bind ssl vserver v1 -certkeyName sv
bind lb vserver v1 ssl-service
add lb vserver v2 TCP
add service tcp-service 10.102.113.150 TCP 443
bind lb vserver v2 tcp-service
add ssl action act1 -forward v2
add ssl policy pol2 -rule client.ssl.client_hello.ciphers.has_hexcode(0x002f) -action act1
bind ssl vserver v1 -policyName pol2 -type CLIENTHELLO_REQ -priority 1
sh ssl vserver v1
Advanced SSL configuration for VServer v1:
DH: DISABLED
DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0
Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: DISABLED
SSLv2 Redirect: DISABLED
ClearText Port: 0
Client Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
SNI: ENABLED
OCSP Stapling: DISABLED
HSTS: DISABLED
HSTS IncludeSubDomains: NO
HSTS Max-Age: 0
SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED
Push Encryption Trigger: Always
Send Close-Notify: YES
Strict Sig-Digest Check: DISABLED
Zero RTT Early Data: DISABLED
DHE Key Exchange With PSK: NO
Tickets Per Authentication Context: 1
ECC Curve: P_256, P_384, P_224, P_521
1) CertKey Name: sv Server Certificate
Data policy
1) Policy Name: pol2 Priority: 1
1) Cipher Name: DEFAULT
Description: Default cipher list with encryption strength >= 128bit
Done
sh ssl policy pol2
Name: pol2
Rule: client.ssl.client_hello.ciphers.has_hexcode(0x002f)
Action: act1
UndefAction: Use Global
Hits: 0
Undef Hits: 0
Policy is bound to following entities
1) Bound to: CLIENTHELLO_REQ VSERVER v1
Priority: 1
Done
sh ssl action act1
1) Name: act1
Type: Data Insertion
Forward to: v2
Hits: 0
Undef Hits: 0
Action Reference Count: 1
Done
sh ssl vserver v2
Advanced SSL configuration for VServer v2:
DH: DISABLED
DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0
Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: DISABLED
SSLv2 Redirect: DISABLED
ClearText Port: 0
Client Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
SNI: DISABLED
OCSP Stapling: DISABLED
HSTS: DISABLED
HSTS IncludeSubDomains: NO
HSTS Max-Age: 0
SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED
Push Encryption Trigger: Always
Send Close-Notify: YES
Strict Sig-Digest Check: DISABLED
Zero RTT Early Data: DISABLED
DHE Key Exchange With PSK: NO
Tickets Per Authentication Context: 1
ECC Curve: P_256, P_384, P_224, P_521
1) CertKey Name: sv Server Certificate
1) Cipher Name: DEFAULT
Description: Default cipher list with encryption strength >= 128bit
Configuration using the GUI
Create a TCP virtual server:
- Navigate to Traffic Management > Load Balancing > Virtual Servers.
- Create a TCP virtual server.
- Click in the Services and Service Groups section and add a TCP service or bind an existing service.
- Click Bind.
- Click Continue.
Create an SSL virtual server:
- Navigate to Traffic Management > Load Balancing > Virtual Servers.
- Create another SSL virtual server.
- Click in the Services and Service Groups section and add a new SSL service or bind an existing service.
- Click Bind.
- Click Continue.
- Click in the Certificate section and bind a server certificate.
- Click Continue.
- In Advanced settings, click SSL Policies.
- Click in the SSL Policy section to add or select an existing policy.
- In Policy Binding, click Add and specify a name for the policy.
- In Action, click Add.
- Specify a name for the SSL action. In Forward Action Virtual Server, select the TCP virtual server created earlier.
- Click Create.
- Specify CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE(hex code of the unsupported cipher) in the expression.
- Click Done.
- In the policy, configure an expression to evaluate traffic for the unsupported cipher.
- Bind the action to the policy, and the policy to the SSL virtual server. Specify bind point CLIENTHELLO_REQ.
- Click Done.
Configure SSL action to forward client traffic if a cipher is not supported on the ADC
Copied!
Failed!