Product Documentation
ADC
Current Release 13.1 13.0 12.1
View PDF

Configure SSL action to forward client traffic if a cipher is not supported on the ADC

September 14, 2021
Contributed by:
S

Note: This feature is available in release 12.1 build 49.x and later.

在the client hello message, if you receive a cipher that is not supported on the ADC, you can configure an SSL action to forward the client traffic to a different virtual server. If you do not want SSL offload, configure this virtual server of type TCP or SSL_BRIDGE. There is no SSL offload on the ADC and that traffic is bypassed. For SSL offload, configure an SSL virtual server as the forward virtual server.

Perform the following steps:

  1. Add a load balancing virtual server of type SSL. Client traffic is received on this virtual server.
  2. Bind an SSL service to this virtual server.
  3. Add a load balancing virtual server of type TCP.Note: IP address or port number is not mandatory for the virtual server to which traffic is forwarded.
  4. Add a TCP service with port 443.
  5. Bind this service to the TCP virtual server created earlier.
  6. Add an SSL action specifying the TCP virtual server in the ‘forward’ parameter.
  7. Add an SSL policy specifying the preceding action if the specific cipher suite (identified by its hex code) is received in the client hello message.
  8. Bind this policy to the SSL virtual server.
  9. Save the configuration.

配置使用CLI

add service ssl-service 10.102.113.155 SSL 443 add ssl certkey sv -cert complete/server/server_rsa_2048.pem -key complete/server/server_rsa_2048.ky add ssl certkey cacert -cert complete/CA/root_rsa_1024.pem -key complete/CA/root_rsa_1024.ky add lb vserver v1 SSL 10.102.57.186 443 bind ssl vserver v1 -certkeyName sv bind lb vserver v1 ssl-service add lb vserver v2 TCP add service tcp-service 10.102.113.150 TCP 443 bind lb vserver v2 tcp-service add ssl action act1 -forward v2 add ssl policy pol2 -rule client.ssl.client_hello.ciphers.has_hexcode(0x002f) -action act1 bind ssl vserver v1 -policyName pol2 -type CLIENTHELLO_REQ -priority 1 
sh ssl vserver v1 Advanced SSL configuration for VServer v1: DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: ENABLED OCSP Stapling: DISABLED HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED Push Encryption Trigger: Always Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Zero RTT Early Data: DISABLED DHE Key Exchange With PSK: NO Tickets Per Authentication Context: 1 ECC Curve: P_256, P_384, P_224, P_521 1) CertKey Name: sv Server Certificate Data policy 1) Policy Name: pol2 Priority: 1 1) Cipher Name: DEFAULT Description: Default cipher list with encryption strength >= 128bit Done sh ssl policy pol2 Name: pol2 Rule: client.ssl.client_hello.ciphers.has_hexcode(0x002f) Action: act1 UndefAction: Use Global Hits: 0 Undef Hits: 0 Policy is bound to following entities 1) Bound to: CLIENTHELLO_REQ VSERVER v1 Priority: 1 Done 
sh ssl action act1 1) Name: act1 Type: Data Insertion Forward to: v2 Hits: 0 Undef Hits: 0 Action Reference Count: 1 Done 
sh ssl vserver v2 Advanced SSL configuration for VServer v2: DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: DISABLED OCSP Stapling: DISABLED HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED TLSv1.3: DISABLED Push Encryption Trigger: Always Send Close-Notify: YES Strict Sig-Digest Check: DISABLED Zero RTT Early Data: DISABLED DHE Key Exchange With PSK: NO Tickets Per Authentication Context: 1 ECC Curve: P_256, P_384, P_224, P_521 1) CertKey Name: sv Server Certificate 1) Cipher Name: DEFAULT Description: Default cipher list with encryption strength >= 128bit

Configuration using the GUI

Create a TCP virtual server:

  1. Navigate toTraffic Management>Load Balancing>Virtual Servers.
  2. Create a TCP virtual server.
  3. Click in theServices and Service Groupssection and add a TCP service or bind an existing service.
  4. ClickBind.
  5. ClickContinue.

Create an SSL virtual server:

  1. Navigate toTraffic Management>Load Balancing>Virtual Servers.
  2. Create another SSL virtual server.
  3. Click in theServices and Service Groupssection and add a new SSL service or bind an existing service.
  4. ClickBind.
  5. ClickContinue.
  6. Click in the证书section and bind a server certificate.
  7. ClickContinue.
  8. Advanced settings, clickSSL Policies.
  9. Click in theSSL Policysection to add or select an existing policy.
  10. Policy Binding, clickAddand specify a name for the policy.
  11. Action, clickAdd.
  12. 指定a name for the SSL action. InForward Action Virtual Server, select the TCP virtual server created earlier.
  13. ClickCreate.
  14. 指定CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE(hex code of the unsupported cipher)in the expression.
  15. ClickDone.
  16. 在the policy, configure an expression to evaluate traffic for the unsupported cipher.
  17. Bind the action to the policy, and the policy to the SSL virtual server. Specify bind pointCLIENTHELLO_REQ.
  18. ClickDone.
Configure SSL action to forward client traffic if a cipher is not supported on the ADC
September 14, 2021
Contributed by:
S
September 14, 2021
Contributed by:
S

在this article

网站反馈 | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.