Forum Discussion

Altostratus

Nov 21, 2017

BIG-IP SSL vulnerability CVE-2017-6168

Hi! We are reading the https://support.f5.com/csp/article/K21905460 new critical vulnerability, and one possible workaround is disabling RSA cipher (using the cipher string DEFAULT:!RSA). In yo...

Cirrostratus

Nov 21, 2017

RSA is the oldest most widely supported SSL/TLS key exchange. If you disable it, very old clients will not be able to handshake. The main one would be IE on XP.

When considering changing client SSL profile configuration, a good way to get an idea of how client will be affected is to use a test virtual server, and then test with Qualys SSL Labs server test: https://www.ssllabs.com/ssltest/

In the report, look for the "Handshake simulation" section. This reports the cipher used for a selection of browser and OS versions and any errors/warnings.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

BIG-IP SSL vulnerability CVE-2017-6168

Introducing the F5 Application Study Tool (AST)

Displaying Application Study Tool (AST) Dashboards in Your Own Grafana Instance

Recent Discussions

What dose "Accept" do in BIG-IP ASM event logs

Is anyone using Certbot for F5 certificate automation? If not, what tool do you use?

Change Content-Type from application/octet-stream to multipart/form-data

f5 AI Gateway pii-redactor not working

Terraform apply failures - loadbalancer_type.https.port_choice

Related Content

Return of Bleichenbacher - the ROBOT Attack CVE-2017-6168

BIG-IP Report

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

BIG-IP Telemetry Streaming to Azure

BIG-IP Next Automation: AS3 Basics

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS