Disable Anonymous Authentication for SSL

Question

I have followed a couple of posts around trying to figure out how to make this change but so far without any luck.  I have a medium priority call in with F5, but I figured while I am waiting for my call back "within 8 hours" I might post this question here.  
&nbsp;  
&nbsp; Recently we have been undergoing PCI Compliancy scans.  One of the recurring issues that we have is: 
&nbsp;  
&nbsp; ------ 
&nbsp; SSL Server Allows Anonymous Authentication Vulnerability 
&nbsp;  
&nbsp; The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an 
&nbsp; algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, 
&nbsp; Netscape and Mozilla do not use anonymous authentication ciphers by default. 
&nbsp; A vulnerability exists in SSL communcations when clients are allowed to connect 
&nbsp; using no authentication algorithm. SSL client-server communication may use several different types of 
&nbsp; authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the 
&nbsp; communications are vulnerable to a man-in-the-middle attack." 
&nbsp; ------ 
&nbsp;  
&nbsp; Our BigIP device hosts our SSL certificates for the load balanced sites behind it.  If the certificates were directly on our Apache servers, then turning off the anonymous authentication would be trivial.  However I have yet to find a solution with the BigIP.  A setting?  An iRule?  Any help or advice would be greatly appreciated!

geoffsweet_3221 · Answer

ah, well I figured it out.  For our release, 9.4.3, the command is: 
&nbsp;  
&nbsp; bigpipe httpd sslciphersuite 'ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW' 
&nbsp;  
&nbsp; That disables low encryption and null and anonymous cipher requests.

hoolio · Answer

The 'b httpd' commands only modify the admin GUI configuration.  If you want to specify which ciphers can be used for a LB VIP, you can modify the client SSL profile or use an iRule.  Check this post for details on both methods: 
&nbsp;  
&nbsp; Disable SSLv2 (Click here) 
&nbsp;  
&nbsp; Aaron

swo0sh_gt_13163 · Answer

Surprisingly there is no help available for this vulnerability for 11.6.0 Firmware version. However I was expecting that after disabling SSLv2/TLS1 this cipher suite will be disabled, however that wasn't fact.
I had to manually disable this particular cipher from the Client-SSL Profile.
Profile &gt; SSL &gt; Client &gt; TestClientSSL
Ciphers - HIGH:!ADH

After updating the Client-SSL Profile, I verified the HTTPS service on Qualys and DigiCert's SSL Test site and it was fixed. I hope this would help someone.
Cheers!

venomlace_13384 · Answer

within my Client SSL configurations I have this for Ciphers:  NATIVE:!MD5:!EXPORT:!DES:!SSLv3:!RC4:@SPEED

Do I add HIGH:!ADH within there or replace the entire string with it?

Thanks!

swo0sh_gt_13163 · Answer

Hello  Venomlace,
I think you can use your current cipher suites defined in your Client-SSL Profile, by adding !ADH within the same suite, to discard the ADH from being negotiate.
You may update your current cipher suite to the following.
NATIVE:!MD5:!EXPORT:!DES:!SSLv3:!ADH:!RC4:@SPEED
I hope this helps.
Cheers!
Darshan

Forum Discussion

Disable Anonymous Authentication for SSL

7 Replies

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

R4800 snmp issues.

F5 XC JWKS auto update

PCI Compliance and ASM

irule for redirect and header injection

What happens if I activate only ASM without provisioning LTM?

Related Content

Anonymous DDOS Tools 2016

Dealing with DDoS threats by KillNet, Anonymous Sudan and REvil

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Banking Authentication, Solar, Patch Tuesday, DEF CON

Doing mTLS Authentication per URL

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS