DataScript: avi.ssl.cipher

DataScript

Function avi.ssl.cipher( [true] )
Description Returns the name of the ciphersuite negotiated for the SSL/TLS connection between the client and the virtual service, and may optionally include the version, key exchange method (Kx), authentication method (Au), encryption method (Enc), and MAC selected (Mac). The returned ciphersuite information is in OpenSSL format. See www.openssl.org/docs/manmaster/apps/ciphers.html for examples of OpenSSL formatted ciphersuites.
Events HTTP_REQ HTTP_RESP
Parameter Optional boolean true. When this parameter is not specified, only the ciphersuite name is returned. When the true flag is set, this function returns ciphersuite, version, authentication method, encryption method, and MAC selected. These values are presented as a space separated string.
Returns A string value containing the cipher information for the SSL/TLS connection. When the true flag is set, values are returned as a space separated string.
Example 1 Gracefully deny clients connecting with unsupported ciphers.
cipher_name = avi.ssl.cipher() 
if cipher_name == "RC4-SHA" then
   avi.http.response(200, {content_type="text/html"}, 
      "Upgrade your client to use modern and secure ciphers."
   )
end
Example 2 Insert a header to the server indicating the key exchange method negotiated with the client.
cipher = avi.ssl.cipher(true)
   ­­-- get the key exchange method from the cipher detail using pattern matching
   ­­-- %w matches alphanumeric characters
kx = string.match(cipher, "Kx=(%w+)")

if kx then
   avi.http.add_header("X-­KeyExchange", kx)
end

Note: This API is not supported in the events SSL_PRECONNECT and SSL_CLIENTHELLO.