Forum Discussion
Hi all,
Thank you very much Kai for this, really appreciate it.
Now with this new vulnerability K21905460: BIG-IP SSL vulnerability CVE-2017-6168 I suppose we will have to remove the RSA key exchange from the cipher list? https://support.f5.com/csp/article/K21905460
New list:
!SSLv2:!RSA:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4
What are your thoughts?
Regards,
Hi kchiotak,
thank you very much for bringing this up to our attention.
The Bleichenbacher attack is somewhat difficult to pulloff and most likely not exploitable outside of lab environments. If you have to close this security hole because of compliance reasons or if you just want to have this security hole closed, then use the cipher string you have posted.
But keep in mind that this change will ban any legacy client without ECDHE suppport (like WinXP/IE8)!
(at) magnus78
kchiotak's and your cipher string provides almost the same level of security. The only difference is that kchiotak's string includes DES based algorythms with a least priority (most likely never negotiated) and yours is banning DES based algorythms completely. But both are sucessfully banning any RSA based ciphersuites...
FYI: The shortcut to your cipher string would be just
'ECDHE+AES-GCM:ECDHE+AES'
Cheers, Kai