Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Issue with Apple IOS10

Hi! We are seeing that F5 is dropping SSL Sessions from Apple IOS 10 (available since 09/13, ten days ago).

After check it with a tcpdump, we are seeing the client is proposing in the ClientHello message the Cipher TLS_EMPTY_RENEGOTIATION_INFO_SCSV, that in RFC 5746 explicity is documented the server must reject it:

"When a ClientHello is received, the server MUST verify that it does not contain the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If the SCSV is present, the server MUST abort the handshake."

So, waiting for an Apple Fix, is there any workaround we can configure in F5? As an instance, can F5 disable SSL renegotiation?

Thanks!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

sure it can

Local Traffic ›› Profiles : SSL : Client, look for Renegotiation

1
Comments on this Answer
Comment made 25-Sep-2016 by TayF5un 382

You can disable the SSL Renegotiation, but which makes system vulnerable to renegotiation attacks.

0
Comment made 25-Sep-2016 by boneyard 5579

i don't agree with that. if you disable SSL renegotiation then renegotiation doesn't work anymore so you can't use it for renegotiation attacks.

see the help information on the option: Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests. When enabled, the system processes mid-stream SSL renegotiation requests. When disabled, the system terminates the connection, or ignores the request, depending on system configuration. The default is enabled.

1