Forum Discussion
Gustavo_Lazarte
Nimbostratus
NimbostratusDisable SSL 2.0
According to our security Auditor we need to disable SSl 2.0 support and support SSL 3.0 or TLS 1.0 instead. I have not found a place in the Client ssl to set this up. I found the following values in the iRules Documentation
[SSL::cipher name] and [SSL::cipher version], That will take care of the SSL 3.0 prob. How can I enable TLS 1.0 access too.
Thanks
2 Replies
HamishCirrocumulus
You can disable SSLv2 in two places in the client SSL setup.
In the options, you can disable sslv2. (Select options, and then scroll down to 'No SSLv2' in the options list that appears. Select that & select 'Enable'. The 'No SSLv2' option will now be listed in the Enabled Options.
Or you can set no SSLv2 in the 'Ciphers' list. I usually set the clientssl profile (The one all other are usually set to inherit from) to
'DEFAULT,!SSLv2,!EXPORT56,!MD5'
Which disables SSLv2, disables 56-bit encryption (For some REALLY old IE browsers that can stepup from 40bit to 128, but can't do 56 to 128 bit step), and lastly disabled MD5 (Because it's broken - As in insecure not as in a bad implementation).
H
hoolioCirrostratus
You could also use an iRule to check the cipher used and redirect clients to a warning page explaining why they're being blocked if they don't meet your criteria. Here is an example:
Redirect On Weak Encryption (Click here)
The downside to using the client SSL profile options to do this is the client simply gets a TCP reset resulting in a 'page cannot be displayed' error in the browser.
Aaron
