Forum Discussion
8 Replies
- gijo_342173Nimbostratus
the code is 11.5.4
- Kevin_StewartEmployee
Can you elaborate on what you need to do and what you're trying to prevent? Are you referring to a hash birthday attack, and if so, which hash?
- gijo_342173Nimbostratus
Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
- gijo_342173Nimbostratus
https://support.f5.com/csp/article/K13400
I am thinking the fix is to disable everything except TLS1 and RC4 per the above however this may impact all other VIPs. I have a feeling without addressing the traffic on other virtual's am risking breaking some applications.
- Kevin_StewartEmployee
Okay, so the fix here is to disable TLS1 in the client SSL profile. But not sure how this relates to a VIP in SSL passthrough mode. If you want to mitigate TLS1 vulnerabilities at the F5, then you need to minimally apply a client SSL profile that does this, and then you're no longer in passthrough mode.
- gs_366906Altocumulus
In passthrough you cannot add any ssl profile i.e.- client or server
- gijo_342173Nimbostratus
I will be applying the following modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'
and NOT anything on the SSL client profile as there is no SSL client profile. The risk is this may break any clients that are using TLSv1 for other virtuals.
- Kevin_StewartEmployee
Okay, but do understand that this ONLY affects the BIG-IP configuration (management plane). This has no effect on the TLS traffic flowing through VIPs.