Configure SSL action to forward client traffic if a cipher is not supported on the ADC

In the client hello message, if you receive a cipher that is not supported on the ADC, you can configure an SSL action to forward the client traffic to a different virtual server. If you do not want SSL offload, configure this virtual server of type TCP or SSL_BRIDGE. There is no SSL offload on the ADC and that traffic is bypassed. For SSL offload, configure an SSL virtual server as the forward virtual server.

Perform the following steps:

  1. Add a load balancing virtual server of type SSL. Client traffic is received on this virtual server.
  2. Bind an SSL service to this virtual server.
  3. Add a load balancing virtual server of type TCP. Note: IP address or port number is not mandatory for the virtual server to which traffic is forwarded.
  4. Add a TCP service with port 443.
  5. Bind this service to the TCP virtual server created earlier.
  6. Add an SSL action specifying the TCP virtual server in the ‘forward’ parameter.
  7. Add an SSL policy specifying the preceding action if the specific cipher suite (identified by its hex code) is received in the client hello message.
  8. Bind this policy to the SSL virtual server.
  9. Save the configuration.

Configuration using the CLI

add service ssl-service 10.102.113.155 SSL 443
add ssl certkey sv -cert complete/server/server_rsa_2048.pem -key complete/server/server_rsa_2048.ky
add ssl certkey cacert -cert complete/CA/root_rsa_1024.pem -key complete/CA/root_rsa_1024.ky
add lb vserver v1 SSL 10.102.57.186 443
bind ssl vserver v1 -certkeyName sv
bind lb vserver v1 ssl-service
add lb vserver v2 TCP
add service tcp-service 10.102.113.150 TCP 443
bind lb vserver v2 tcp-service
add ssl action act1 -forward v2
add ssl policy pol2 -rule client.ssl.client_hello.ciphers.has_hexcode(0x002f) -action act1
bind ssl vserver v1 -policyName pol2 -type CLIENTHELLO_REQ -priority 1
<!--NeedCopy-->
sh ssl vserver v1

    Advanced SSL configuration for VServer v1:
    DH: DISABLED
    DH Private-Key Exponent Size Limit: DISABLED    Ephemeral RSA: ENABLED  Refresh Count: 0
    Session Reuse: ENABLED  Timeout: 120 seconds
    Cipher Redirect: DISABLED
    SSLv2 Redirect: DISABLED
    ClearText Port: 0
    Client Auth: DISABLED
    SSL Redirect: DISABLED
    Non FIPS Ciphers: DISABLED
    SNI: ENABLED
    OCSP Stapling: DISABLED
    HSTS: DISABLED
    HSTS IncludeSubDomains: NO
    HSTS Max-Age: 0
    SSLv2: DISABLED  SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED  TLSv1.3: DISABLED
    Push Encryption Trigger: Always
    Send Close-Notify: YES
    Strict Sig-Digest Check: DISABLED
    Zero RTT Early Data: DISABLED
    DHE Key Exchange With PSK: NO
    Tickets Per Authentication Context: 1

    ECC Curve: P_256, P_384, P_224, P_521

1)  CertKey Name: sv    Server Certificate


    Data policy
1)  Policy Name: pol2   Priority: 1



1)  Cipher Name: DEFAULT
    Description: Default cipher list with encryption strength >= 128bit
 Done
sh ssl policy pol2
    Name: pol2
    Rule: client.ssl.client_hello.ciphers.has_hexcode(0x002f)
    Action: act1
    UndefAction: Use Global
    Hits: 0
    Undef Hits: 0


    Policy is bound to following entities
1)  Bound to: CLIENTHELLO_REQ VSERVER v1
    Priority: 1

 Done
<!--NeedCopy-->
sh ssl action act1
1)  Name: act1
    Type: Data Insertion
    Forward to: v2
    Hits: 0
    Undef Hits: 0
    Action Reference Count: 1
 Done
<!--NeedCopy-->
sh ssl vserver v2

    Advanced SSL configuration for VServer v2:
    DH: DISABLED
    DH Private-Key Exponent Size Limit: DISABLED    Ephemeral RSA: ENABLED  Refresh Count: 0
    Session Reuse: ENABLED  Timeout: 120    seconds
    Cipher Redirect: DISABLED
    SSLv2 Redirect: DISABLED
    ClearText Port: 0
    Client Auth: DISABLED
    SSL Redirect: DISABLED
    Non FIPS Ciphers: DISABLED
    SNI: DISABLED
    OCSP Stapling: DISABLED
    HSTS: DISABLED
    HSTS IncludeSubDomains: NO
    HSTS Max-Age: 0
    SSLv2: DISABLED  SSLv3: ENABLED  TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED  TLSv1.3: DISABLED
    Push Encryption Trigger: Always
    Send Close-Notify: YES
    Strict Sig-Digest Check: DISABLED
    Zero RTT Early Data: DISABLED
    DHE Key Exchange With PSK: NO
    Tickets Per Authentication Context: 1

    ECC Curve: P_256, P_384, P_224, P_521

1)  CertKey Name: sv    Server Certificate



1)  Cipher Name: DEFAULT
    Description: Default cipher list with encryption strength >= 128bit
<!--NeedCopy-->

Configuration using the GUI

Create a TCP virtual server:

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Create a TCP virtual server.
  3. Click in the Services and Service Groups section and add a TCP service or bind an existing service.
  4. Click Bind.
  5. Click Continue.

Create an SSL virtual server:

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Create another SSL virtual server.
  3. Click in the Services and Service Groups section and add a new SSL service or bind an existing service.
  4. Click Bind.
  5. Click Continue.
  6. Click in the Certificate section and bind a server certificate.
  7. Click Continue.
  8. In Advanced settings, click SSL Policies.
  9. Click in the SSL Policy section to add or select an existing policy.
  10. In Policy Binding, click Add and specify a name for the policy.
  11. In Action, click Add.
  12. Specify a name for the SSL action. In Forward Action Virtual Server, select the TCP virtual server created earlier.
  13. Click Create.
  14. Specify CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE(hex code of the unsupported cipher) in the expression.
  15. Click Done.
  16. In the policy, configure an expression to evaluate traffic for the unsupported cipher.
  17. Bind the action to the policy, and the policy to the SSL virtual server. Specify bind point CLIENTHELLO_REQ.
  18. Click Done.
Configure SSL action to forward client traffic if a cipher is not supported on the ADC