Forum Discussion
MODdev_119626
Nimbostratus
Nimbostratus2-way SSL (Client) and Renegotiation
Greetings! We have clients that use 2-way SSL on some of their pages/paths. One of the clients has recently ran a security scan and asked us we remove SSL renegotiation from their profile. Disabling ...
Cory_50405
Noctilucent
NoctilucentOn the SSL server profile, change Secure Renegotiation to 'require' or 'require strict' in order to disable insecure negotiation. Keep in mind that if the back end server isn't patched for this, it could break SSL connections through the LTM.
MODdev_119626Thanks, Cory! I tried both 'require' and 'require strict' and it didn't work. The client cert is not being asked for. What did you mean by 'if the back end server isn't patched for this'? Currently, the servers have secure bindings for the site configured with our wildcard cert.- Cory_50405The server should be patched for the SSL/TLS renegotiation vulnerability listed here: https://tools.ietf.org/html/rfc5746 If you need client certificate based authentication, I recommend you use proxy SSL. You enable it within both the client and SSL profiles. http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html
- MODdev_119626Proxy SSL is not an acceptable solution for us as we terminate SSL connections at the F5. I believe our web servers are fully patched.
- Cory_50405We also terminate SSL on our LTMs and use proxy SSL. You can do both. The purpose of it is to maintain client certificate based authentication while at the same time allowing layer 7 inspection on the LTM.
- MODdev_119626Hi Cory, is it a big change to switch to proxy SSL on the F5s? Does it have to be done for all virtual servers or can it be implemented for individual VS's? We have about 500 sites hosted on the F5s.
