Forum Discussion

fpieressa's avatar
fpieressa
Icon for Altostratus rankAltostratus
Nov 21, 2017

BIG-IP SSL vulnerability CVE-2017-6168

Hi! We are reading the https://support.f5.com/csp/article/K21905460 new critical vulnerability, and one possible workaround is disabling RSA cipher (using the cipher string DEFAULT:!RSA).   In yo...
cve-2017-6168
LTM
security
MegaZone's avatar
MegaZone
Icon for SIRT rankSIRT
Nov 22, 2017

All of the major desktop and mobile browsers have supported DHE and/or ECDHE Key Exchange for a number of years, as alternatives to RSA Kx. The most notable user agents that do not are IE6 (anywhere) and IE8 on XP (IE8 on newer versions of Windows is OK). https://www.ssllabs.com/ssltest/clients.html is a list of UAs - you're interested in the 'Forward Secrecy' column - that's DHE/ECDHE.

 

For most sites disabling RSA Kx (which is what !RSA does) should not be an issue. As the SA advises, it will mainly be an issue for any site that still, for whatever cursed reason, needs to support ancient clients like IE6. Or sites that might be used by specialized clients which, for whatever reason, only support RSA - maybe an old embedded client in a set-top box, etc.