Forum Discussion

Nimbostratus

Jul 09, 2012

SSL Pass Through VS for Safari Clients

We're experiencing an issue with a VS in our configuration which is performing SSL pass through. Clients attempting to connect to our site via Safari (from a Mac) are unable to successfully complete ...

config

design

Brian_Van_Stone

Nimbostratus

Jul 10, 2012

Definitely not an F5 issue but I figured I would post this here in case anyone else runs into this problem in the future and comes looking here.

Safari (even the latest version) does not support RFC 5746, which addresses an issue concerning SSL renegotiation which would allow a man in the middle attack. The description of the vulnerability can be found here: http://www.phonefactor.com/sslgap

The vulnerability was identified in August of 2009 and the actual standard to fix it proposed in Feb 2010. All other major browsers (IE, FF, Opera, Chrome, etc.) appear to have been compliant for quite a while.

Recent security patches to our web servers have enforced a requirement for RFC 5746 compliance. F5 Big-IP appears to be compliant, since it can communicate via SSL to these same web servers, but also tolerant of non-compliant clients. It is for this reason that SSL termination makes our problem disappear.

Sorry to spawn a thread unrelated to F5 config, but perhaps this will be useful to someone in the future.

Forum Discussion

SSL Pass Through VS for Safari Clients

Recent Discussions

Automate ASM "Ready to Be Enforced" Attack Signatures

F5 Content Switching

Geolocation restrict and redirect to a URL

F5 cookie passive method

iRule to show banner while application maintenace

Related Content

Fingerprinting TLS Clients with JA4 on F5 BIG-IP

Enhance your Application Security using Client-side signals

iRule based RADIUS Client Stack

iRule to set SameSite for compatible clients and remove it for incompatible clients (LTM|ASM|APM)

Using Client Subnet in DNS Requests