NimbostratusIs it possible to apply a SSL client profile to mitigate on the VIP eventhough the VIP is in SSL passthrough mode this per https://support.f5.com/csp/article/K13092 ?
Are there other possibilities to address this vulnerability on the F5?
In passthrough you cannot add any ssl profile i.e.- client or server
Nimbostratusthe code is 11.5.4
EmployeeCan you elaborate on what you need to do and what you're trying to prevent? Are you referring to a hash birthday attack, and if so, which hash?
NimbostratusBirthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
Nimbostratushttps://support.f5.com/csp/article/K13400
I am thinking the fix is to disable everything except TLS1 and RC4 per the above however this may impact all other VIPs. I have a feeling without addressing the traffic on other virtual's am risking breaking some applications.
EmployeeOkay, so the fix here is to disable TLS1 in the client SSL profile. But not sure how this relates to a VIP in SSL passthrough mode. If you want to mitigate TLS1 vulnerabilities at the F5, then you need to minimally apply a client SSL profile that does this, and then you're no longer in passthrough mode.
AltocumulusIn passthrough you cannot add any ssl profile i.e.- client or server
NimbostratusI will be applying the following modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'
and NOT anything on the SSL client profile as there is no SSL client profile. The risk is this may break any clients that are using TLSv1 for other virtuals.
EmployeeOkay, but do understand that this ONLY affects the BIG-IP configuration (management plane). This has no effect on the TLS traffic flowing through VIPs.