Forum Discussion
Nimbostratus2-way SSL (Client) and Renegotiation
Greetings! We have clients that use 2-way SSL on some of their pages/paths. One of the clients has recently ran a security scan and asked us we remove SSL renegotiation from their profile. Disabling renegotiation has also disabled 2-way SSL we had for them on the profile.
Is there a way to have renegotiation disabled and the 2-way SSL working at the same time?
The 2-way SSL is setup on LTM.
Thanks for your help!
11 Replies
Cory_50405Noctilucent
On the SSL server profile, change Secure Renegotiation to 'require' or 'require strict' in order to disable insecure negotiation. Keep in mind that if the back end server isn't patched for this, it could break SSL connections through the LTM.
MODdev_119626Thanks, Cory! I tried both 'require' and 'require strict' and it didn't work. The client cert is not being asked for. What did you mean by 'if the back end server isn't patched for this'? Currently, the servers have secure bindings for the site configured with our wildcard cert.- Cory_50405The server should be patched for the SSL/TLS renegotiation vulnerability listed here: https://tools.ietf.org/html/rfc5746 If you need client certificate based authentication, I recommend you use proxy SSL. You enable it within both the client and SSL profiles. http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html
- MODdev_119626Proxy SSL is not an acceptable solution for us as we terminate SSL connections at the F5. I believe our web servers are fully patched.
- Cory_50405
It can be implemented per client and server SSL profile simply by checking a box. But it will need to be checked on all profiles applied to the virtual server that you want to enable it on. Note that in order for it to work you must load the server certificate and key and apply to both the client and server profiles.
- MODdev_119626
It looks like we don't have the Proxy SSL check box in the client profile section. See the screenshot. Does it mean the version we have doesn't support it? We have 10.2.3
- Cory_50405
Yes, proxy SSL was introduced in v11. Unsure exactly which version right off hand but we have it in 11.2
- MODdev_119626OK. Does it mean we don't have any solution for to have the renegotiation disabled and client SSL authentication at the same time unless we upgrade the F5s?
- Cory_50405Unfortunately you'll have to upgrade to get the functionality. Though the server could be patched to eliminate the vulnerability and you wouldn't need to upgrade. I'm no server guy so I don't know what kind of effort that would entail.
