Forum Discussion
AltostratusBIG-IP SSL vulnerability CVE-2017-6168
Hi! We are reading the https://support.f5.com/csp/article/K21905460 new critical vulnerability, and one possible workaround is disabling RSA cipher (using the cipher string DEFAULT:!RSA).
In your expirence, how popular is RSA? In general, does browsers have support for others ciphers? In other words, disabling the RSA cipher could have a high impact to the service?
eey0reCirrostratus
RSA is the oldest most widely supported SSL/TLS key exchange. If you disable it, very old clients will not be able to handshake. The main one would be IE on XP.
When considering changing client SSL profile configuration, a good way to get an idea of how client will be affected is to use a test virtual server, and then test with Qualys SSL Labs server test: https://www.ssllabs.com/ssltest/
In the report, look for the "Handshake simulation" section. This reports the cipher used for a selection of browser and OS versions and any errors/warnings.
- MegaZone
SIRT
All of the major desktop and mobile browsers have supported DHE and/or ECDHE Key Exchange for a number of years, as alternatives to RSA Kx. The most notable user agents that do not are IE6 (anywhere) and IE8 on XP (IE8 on newer versions of Windows is OK). https://www.ssllabs.com/ssltest/clients.html is a list of UAs - you're interested in the 'Forward Secrecy' column - that's DHE/ECDHE.
For most sites disabling RSA Kx (which is what !RSA does) should not be an issue. As the SA advises, it will mainly be an issue for any site that still, for whatever cursed reason, needs to support ancient clients like IE6. Or sites that might be used by specialized clients which, for whatever reason, only support RSA - maybe an old embedded client in a set-top box, etc.
