Quick check for TLS vulnerability CVE-2016-9244

Hi,

to run a quick recursive search across all client-ssl profiles regarding vulnerability CVE-2016-9244 you can run the following one-liner:

 tmsh -q -c 'cd /; list ltm profile client-ssl one-line recursive' | \
 grep -w 'session-ticket enabled' | grep -E --colour '(ltm profile client-ssl|session-ticket) [^ ]+'

In case there is a (non-default) setting in an affected profile i.e. the following will be returned:

ltm profile client-ssl Common/profile_lb-net.bit_clientssl { app-service none cert Common/cert_lb-net.bit.crt cert-key-chain { cert_lb-net.bit { cert Common/cert_lb-net.bit.crt key Common/cert_lb-net.bit.key } } chain none defaults-from Common/clientssl inherit-certkeychain true key Common/cert_lb-net.bit.key passphrase none session-ticket enabled }

According to the Ask F5 solution the setting may be modified from WebUI in the affected client-ssl profiles advanced settings.

To modify a vulnerable profile from CLI you may want to use i.e. the following syntax (make sure to set the trailing / in front of the admin partition:

tmsh modify ltm profile client-ssl /Common/profile_lb-net.bit_clientssl session-ticket disabled
tmsh save sys config partitions all

Make sure to save the configuration and to config-sync.

Thanks, Stephan

PS: The setting for

session-ticket

disabled