During the SSL handshake, the SSL client (usually a web browser) announces the suite of ciphers that it supports, in the configured order of cipher preference. From that list, the SSL server then selects a cipher that matches its own list of configured ciphers.
If the ciphers announced by the client does not match the ciphers configured on the SSL server, the SSL handshake fails. The failure is announced by a cryptic error message displayed in the browser. These messages rarely mention the exact cause of the error.
With cipher redirection, you can configure an SSL virtual server to deliver accurate, meaningful error messages when an SSL handshake fails. When an SSL handshake fails, the ADC appliance redirects the user to a previously configured URL or, if no URL is configured, displays an internally generated error page.
Configure cipher redirection by using the CLI
At the command prompt, type the following commands to configure cipher redirection and verify the configuration:
- set ssl vserver <vServerName> -cipherRedirect < ENABLED | DISABLED> -cipherURL < URL> - show ssl vserver <vServerName> <!--NeedCopy-->
set ssl vserver vs-ssl -cipherRedirect ENABLED -cipherURL http://redirectURl Done show ssl vserver vs-ssl Advanced SSL configuration for VServer vs-ssl: DH: DISABLED Ephemeral RSA: ENABLED Refresh Count: 1000 Session Reuse: ENABLED Timeout: 600 seconds Cipher Redirect: ENABLED Redirect URL: http://redirectURl SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: DISABLED OCSP Stapling: DISABLED HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.2: ENABLED TLSv1.2: ENABLED 1) CertKey Name: Auth-Cert-1 Server Certificate 1) Cipher Name: DEFAULT Description: Predefined Cipher Alias Done <!--NeedCopy-->
Configure cipher redirection by using the GUI
- Navigate to Traffic Management > Load Balancing > Virtual Servers, and open a virtual server.
- In the SSL Parameters section, select Enable Cipher Redirect, and specify a redirect URL.