Poodle Mitigation but can't disable SSLv3

Question

Reading some of the recent articles it appears the recommendation is to force RC4 for all SSLv3 connections.  Have any of you encountered any client issues doing so?  Also wondering if anyone is using an irule along the lines of sending known client IP ranges that require SSLv3 to an SSLv3 enabled profile, then sending all other clients to an SSLv3 disabled profile.  I appreciate any input.&nbsp;
Thanks,
Chris&nbsp;

jrahm · Answer

you could use the SSL::cipher version command with a default ssl version of v3, and if client is IP $x all is ok, and if not, renegotiate and force a different ssl profile. Ideas around this can be gathered in this thread.

christopher_boo · Answer

For anyone interested, I'm using the irule below.  The SSLv3 enabled profile only allows SSLv3 with RC4.  The other profile has SSLv3 disabled.
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals "sslv3_allowed"] } {
SSL::profile sslv3_enabled
} else {
SSL::profile sslv3_disabled
}
}
when HTTP_REQUEST {
SSL::renegotiate
}

jrahm · Answer

nice work!

Forum Discussion

Poodle Mitigation but can't disable SSLv3

3 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

SSLv3 POODLE mitigation recommendations

CitrixBleed Mitigation CVE-2023-4966

F5 Distributed Cloud L3-L7 DDoS Mitigation

Mitigating OWASP API Security risks using BIG-IP

Mitigating OWASP API Security Top 10 risks using F5 NGINX App Protect