iRule to Disable SSL Negotiation

Question

Hello&nbsp;
&nbsp;I am running 9.4.8 and just applied HF4 in order to use the standard iRule to disable SSL session renegotiation.&nbsp;&nbsp;
&nbsp;when CLIENTSSL_HANDSHAKE {
&nbsp; SSL::renegotiate disable
&nbsp;}&nbsp;
&nbsp;Even after this has been applied to a virtual server, a Nessus security scan is able to renegotiate a session with a different cipher.  I have looked at captures of this and tend to agree.&nbsp;
&nbsp;Is there anything else necessary to get this working?&nbsp;
&nbsp;Many Thanks,&nbsp;
&nbsp;Paul&nbsp;&nbsp;&nbsp;

paul_aurich · Answer

Paul, 
&nbsp;  
&nbsp; Is Nessus testing for SSL session resumption or SSL (midstream) rengotiation?  Is Nessus triggering on CVE-2010-4180 (discussed in SOL12543)?  If the information there doesn't address your needs, I'd suggest opening a case with F5 Networks Support to get further clarification. 
&nbsp;  
&nbsp; ~Paul

michael_yates · Answer

I know you can restrict your accepted Ciphers in the SSL Profile in v9.4.x. 
&nbsp;  
&nbsp; In v10.x.x you can control Renegotiation in the SSL Profile as well.  I am not sure when that option was added, but it might be worth looking into to see if the option is there in v9.4.8. 
&nbsp;  
&nbsp; If it is then it might offer you an alternative to an iRule.

Forum Discussion

iRule to Disable SSL Negotiation

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

iRule to decode WebSocket negotiation and frames

Disabling Weak Ciphers

disable http retry

Disable cookie persistance in irule

ASM irule to disable attack signature authorization header with specific value