Logjam and FREAK using BIG-IP 9.4.3 - please help!

Question

Hello
Have a number of sites running on the old BIG-IP 9.4.3 box that business just does not want to upgrade
We have mitigated the previous SSL vulnerabilities by setting the SSL profile ciphers to DEFAULT:!SSLv3 and its only talking TLS 1.0 now.&nbsp;
Was checking the site in SSLLABS today and its a big, fat, red F =(&nbsp;
This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam)This server supports 512-bit export suites and might be vulnerable to the FREAK attack
I know its old, but is there anything can be done to keep it going? Below is SSL LABS reported:&nbsp;

&nbsp;

david_stout · Answer

You could try using profile string 'RSA+AES:!SSLv3' ..... That's about the only option you have I think
[a-dstout@ltm13:Active:In Sync] ~  tmm --clientciphers 'RSA+AES:!SSLv3'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA       
 1:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA       
 2:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA       
 3:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA       
 4:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA       
 5:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA       
 6:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA       
 7:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA       
 8:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA       
 9:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA

That or decide that the business deserves to fall on its a** out of sheer ignorance lol

Forum Discussion

Logjam and FREAK using BIG-IP 9.4.3 - please help!

1 Reply

Recent Discussions

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

What is BIG-IP Next?

Getting Started with BIG-IP Next: Fundamentals

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

BIG-IP Report

Getting Started with BIG-IP Next: Migrating an Application Workload