Forum Discussion

Gustavo_Lazarte's avatar
Gustavo_Lazarte
Icon for Nimbostratus rankNimbostratus
Jan 13, 2009

Disable SSL 2.0

According to our security Auditor we need to disable SSl 2.0 support and support SSL 3.0 or TLS 1.0 instead. I have not found a place in the Client ssl to set this up. I found the following values in the iRules Documentation

 

 

[SSL::cipher name] and [SSL::cipher version], That will take care of the SSL 3.0 prob. How can I enable TLS 1.0 access too.

 

Thanks
application delivery
dev
devops
iRules

2 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jan 13, 2009
    You can disable SSLv2 in two places in the client SSL setup.

     

     

    In the options, you can disable sslv2. (Select options, and then scroll down to 'No SSLv2' in the options list that appears. Select that & select 'Enable'. The 'No SSLv2' option will now be listed in the Enabled Options.

     

     

    Or you can set no SSLv2 in the 'Ciphers' list. I usually set the clientssl profile (The one all other are usually set to inherit from) to

     

     

    'DEFAULT,!SSLv2,!EXPORT56,!MD5'

     

     

    Which disables SSLv2, disables 56-bit encryption (For some REALLY old IE browsers that can stepup from 40bit to 128, but can't do 56 to 128 bit step), and lastly disabled MD5 (Because it's broken - As in insecure not as in a bad implementation).

     

     

    H
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 13, 2009
    You could also use an iRule to check the cipher used and redirect clients to a warning page explaining why they're being blocked if they don't meet your criteria. Here is an example:

     

     

    Redirect On Weak Encryption (Click here)

     

     

    The downside to using the client SSL profile options to do this is the client simply gets a TCP reset resulting in a 'page cannot be displayed' error in the browser.

     

     

    Aaron