ADC

Configure SSL action to forward client traffic if a cipher is not supported on the ADC

Note: This feature is available in release 12.1 build 49.x and later.

In the client hello message, if you receive a cipher that is not supported on the ADC, you can configure an SSL action to forward the client traffic to a different virtual server. If you do not want SSL offload, configure this virtual server of type TCP or SSL_BRIDGE. There is no SSL offload on the ADC and that traffic is bypassed. For SSL offload, configure an SSL virtual server as the forward virtual server.

Perform the following steps:

  1. Add a load balancing virtual server of type SSL. Client traffic is received on this virtual server.
  2. Bind an SSL service to this virtual server.
  3. Add a load balancing virtual server of type TCP. Note: IP address or port number is not mandatory for the virtual server to which traffic is forwarded.
  4. Add a TCP service with port 443.
  5. Bind this service to the TCP virtual server created earlier.
  6. Add an SSL action specifying the TCP virtual server in the ‘forward’ parameter.
  7. Add an SSL policy specifying the above action if the specific cipher suite (identified by its hex code) is received in the client hello message.
  8. Bind this policy to the SSL virtual server.
  9. Save the configuration.

Configuration using the CLI

add service ssl-service 10.102.113.155 SSL 443 add ssl certkey sv -cert complete/server/server_rsa_2048.pem -key complete/server/server_rsa_2048.ky add ssl certkey cacert -cert complete/CA/root_rsa_1024.pem -key complete/CA/root_rsa_1024.ky add lb vserver v1 SSL 10.102.57.186 443 bind ssl vserver v1 -certkeyName sv bind lb vserver v1 ssl-service add lb vserver v2 TCP add service tcp-service 10.102.113.150 TCP 443 bind lb vserver v2 tcp-service add ssl action act1 -forward v2 add ssl policy pol2 -rule client.ssl.client_hello.ciphers.has_hexcode(0x002f) -action act1 bind ssl vserver v1 -policyName pol2 -type CLIENTHELLO_REQ -priority 1
sh ssl vserver v1 Advanced SSL configuration for VServer v1: DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: ENABLED OCSP Stapling: DISABLED HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED Push Encryption Trigger: Always Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Zero RTT Early Data: DISABLED DHE Key Exchange With PSK: NO Tickets Per Authentication Context: 1 ECC Curve: P_256, P_384, P_224, P_521 1) CertKey Name: sv Server Certificate Data policy 1) Policy Name: pol2 Priority: 1 1) Cipher Name: DEFAULT Description: Default cipher list with encryption strength >= 128bit Done sh ssl policy pol2 Name: pol2 Rule: client.ssl.client_hello.ciphers.has_hexcode(0x002f) Action: act1 UndefAction: Use Global Hits: 0 Undef Hits: 0 Policy is bound to following entities 1) Bound to: CLIENTHELLO_REQ VSERVER v1 Priority: 1 Done
sh ssl action act1 1) Name: act1 Type: Data Insertion Forward to: v2 Hits: 0 Undef Hits: 0 Action Reference Count: 1 Done
sh ssl vserver v2 Advanced SSL configuration for VServer v2: DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: DISABLED OCSP Stapling: DISABLED HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED Push Encryption Trigger: Always Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Zero RTT Early Data: DISABLED DHE Key Exchange With PSK: NO Tickets Per Authentication Context: 1 ECC Curve: P_256, P_384, P_224, P_521 1) CertKey Name: sv Server Certificate 1) Cipher Name: DEFAULT Description: Default cipher list with encryption strength >= 128bit

Configuration using the GUI

Create a TCP virtual server:

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Create a TCP virtual server.
  3. Click in the Services and Service Groups section and add a TCP service or bind an existing service.
  4. Click Bind.
  5. Click Continue.

Create an SSL virtual server:

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Create another SSL virtual server.
  3. Click in the Services and Service Groups section and add a new SSL service or bind an existing service.
  4. Click Bind.
  5. Click Continue.
  6. Click in the Certificate section and bind a server certificate.
  7. Click Continue.
  8. In Advanced settings, click SSL Policies.
  9. Click in the SSL Policy section to add or select an existing policy.
  10. In Policy Binding, click Add and specify a name for the policy.
  11. In Action, click Add.
  12. Specify a name for the SSL action. In Forward Action Virtual Server, select the TCP virtual server created earlier.
  13. Click Create.
  14. Specify CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE(hex code of the unsupported cipher) in the expression.
  15. Click Done.
  16. In the policy, configure an expression to evaluate traffic for the unsupported cipher.
  17. Bind the action to the policy, and the policy to the SSL virtual server. Specify bind point CLIENTHELLO_REQ.
  18. Click Done.
Configure SSL action to forward client traffic if a cipher is not supported on the ADC