For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fpieressa's avatar
fpieressa
Icon for Altostratus rankAltostratus
Nov 21, 2017

BIG-IP SSL vulnerability CVE-2017-6168

Hi! We are reading the https://support.f5.com/csp/article/K21905460 new critical vulnerability, and one possible workaround is disabling RSA cipher (using the cipher string DEFAULT:!RSA).   In yo...
cve-2017-6168
LTM
security
eey0re's avatar
eey0re
Icon for Cirrostratus rankCirrostratus
Nov 21, 2017

RSA is the oldest most widely supported SSL/TLS key exchange. If you disable it, very old clients will not be able to handshake. The main one would be IE on XP.

 

When considering changing client SSL profile configuration, a good way to get an idea of how client will be affected is to use a test virtual server, and then test with Qualys SSL Labs server test: https://www.ssllabs.com/ssltest/

 

In the report, look for the "Handshake simulation" section. This reports the cipher used for a selection of browser and OS versions and any errors/warnings.