Forum Discussion
Brian_Van_Stone
Jul 10, 2012Nimbostratus
Definitely not an F5 issue but I figured I would post this here in case anyone else runs into this problem in the future and comes looking here.
Safari (even the latest version) does not support RFC 5746, which addresses an issue concerning SSL renegotiation which would allow a man in the middle attack. The description of the vulnerability can be found here: http://www.phonefactor.com/sslgap
The vulnerability was identified in August of 2009 and the actual standard to fix it proposed in Feb 2010. All other major browsers (IE, FF, Opera, Chrome, etc.) appear to have been compliant for quite a while.
Recent security patches to our web servers have enforced a requirement for RFC 5746 compliance. F5 Big-IP appears to be compliant, since it can communicate via SSL to these same web servers, but also tolerant of non-compliant clients. It is for this reason that SSL termination makes our problem disappear.
Sorry to spawn a thread unrelated to F5 config, but perhaps this will be useful to someone in the future.