For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jeff_Williams_4's avatar
Jeff_Williams_4
Icon for Nimbostratus rankNimbostratus
Jun 24, 2014

Disable Supported Elliptic Curves Extension from server

Hi, We see that our F5 load balancer running BIG-IP 11.5.1 Build 2.0.121 Hotfix HF2, is sending the extension for "elliptic curves" (id=10). For example, this is an extract from a debug using the c...
management
security
Jeff_Williams_4's avatar
Jeff_Williams_4
Icon for Nimbostratus rankNimbostratus
Jun 27, 2014

Hi afedden,

 

Thanks for the recommendation, however, I have been unable to test since I only have access to a partition and changes with roles on 11.5 mean that I am not longer able to edit SSL Client Profiles. And our main client running into issues has now been patched to ignore the erroneous extension.

 

Jeff

 

  • afedden_1985's avatar
    afedden_1985
    Icon for Cirrus rankCirrus
    Jun 30, 2014
    Just an FYI we implemented 11.5 and didn't run into any issue and I didn't disable the ECDHE ciphers. Also F5 tried a repro based on your description and was unable to repro the issue. The issue that did get me was 11.5 removed support for SSLv3 and that caused some issues for some clients until we enabled it.
  • Jeff_Williams_4's avatar
    Jeff_Williams_4
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2014
    Out of interest, if you run the command: openssl s_client -tls1 -tlsextdebug -state -debug -connect :443 With a version of openssl > 1.0.0, do you get the 'TLS server extension "elliptic curves"' line? We only found it caused issues with certain versions of GNU TLS, so you may not see an issue. That said, it looks like the GNU TLS behaviour was correct. We too had the issue with SSLv3 disappearing, so we added in ciphers as per http://support.f5.com/kb/en-us/solutions/public/15000/000/sol15022.html, then we hit this issue with the elliptic curves!