Deny SSLv3 Using aFlex

  • When Client Attempt to Using SSLv3 Connect to VIP, Deny it.
  • Allow Some Client to Use SSLv3 when Needed
  • Service Type: HTTPS or TCP/443(See Follow Limitation)
  • TCP/443 Limitation: Only Support reject, can't be respond redirect to page.
when CLIENT_ACCEPTED {
	# Check Remote Client IP (Remote_Addr usually means clinet IP)
	if { [IP::addr [remote_addr] equals 8.8.8.0/24] } {
		set sslv3pass 1
	} elseif { [IP::addr [remote_addr] equals 8.8.4.0/24] } {
		set sslv3pass 1
	} else {
		set sslv3pass 0
	}
	TCP::collect
}
 
when CLIENT_DATA {
	binary scan [TCP::payload] cS rtype sslver
 
	# log will affect unit performance, DO NOT Use it when production.
#	log "$sslv3pass . $sslver"
 
	# SSL 3.0 -> 768 TLS 1.0 -> 769 TLS 1.1 -> 770  TLS 1.2 -> 771
	# TCP/443 and HTTPS
	if { ( $sslv3pass == 0 ) && ( $sslver <= 768 ) } { reject }
 
	# HTTPS only. If you want to redirect traffic, you can used follow line.
#	if { ( $sslv3pass == 0 ) && ( $sslver <= 768 ) } { set red 1 }
}
 
#when HTTP_REQUEST {
#	if {$red  == 1} {
#		HTTP::respond 302 Location "https://tw.gamania.com/" Cache-Control No-Cache Pragma No-Cache
#	}
#}