About OpenSSL use

Question

It just came to my understanding that when applying SSL profile on a virtual server, openSSL would not really be used. Well it would be used at a base level but at an upper level it's controlled by TMOS. Am I right ? (sorry if it's not well explained...)&nbsp;
So i was wondering if the traffic coming from internet and passing through the virtual server would be subject to openSSL's known vulnerabilities? (knowing that it is not really used)&nbsp;
Thanks&nbsp;

thistuffjuice_3 · Answer

Hi&nbsp;
F5's security-vulnerabilities within the documentation show OpenSSL vulnerabilities (CVE's) affecting some of their BIG-IP products. Example below:&nbsp;
https://support.f5.com/csp/article/K13167034&nbsp;
Sorry, I cannot anwser in depth on the SSL processing performed by the BIG-IP.&nbsp;
However, it looks like they are affected by certain OpenSSL vulnerabilites.&nbsp;
Hope this helps.&nbsp;

stanislas_piro2 · Answer

Hi,&nbsp;
DEFAULT cipher does not use OpenSSL library and is not affected by OpenSSL vulnerabilities!&nbsp;
If you change profile cipher to include COMPAT keyword, BIGIP will use OpenSSL library!&nbsp;

Forum Discussion

About OpenSSL use

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

Related Content

Building an OpenSSL Certificate Authority - Creating Your Root Certificate

Building an OpenSSL Certificate Authority - Creating ECC Certificates

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

Building an OpenSSL Certificate Authority - Creating Your Intermediary Certificate

OpenSSL HeartBleed, CVE-2014-0160

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS