For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Virtualrana_132's avatar
Virtualrana_132
Icon for Nimbostratus rankNimbostratus
Oct 29, 2014

Disabled SSLv3 but still connects. Do I have to enable anything else to Disable SSLv3?

Hi,

 

Platform: F5 LTM v11.4

 

I have Disabled SSLv3 in the ciphers "DEFAULT:!SSLv3", but when I run "openssl s_client -connect www.$clientsite.com.au:443 -ssl3" from a remote box, it still connects with the following output:

 

===================

 

CONNECTED(00000003)

 

139824806426272:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: no peer certificate available No client certificate CA names sent SSL handshake has read 5 bytes and written 7 bytes

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1414544500 Timeout : 7200 (sec)

 

Verify return code: 0 (ok)
security
TMSH

3 Replies

  • Virtualrana_132's avatar
    Virtualrana_132
    Icon for Nimbostratus rankNimbostratus
    Oct 29, 2014

    Just an FYI,

     

    The following site says SSv3 has been disabled for this site, which is the expected answer, but "openssl s_client -connect www.$clientsite.com.au:443 -ssl3" says "Connected" as above.

     

    https://www.ssllabs.com/ssltest/index.html

     

  • NikhilB's avatar
    NikhilB
    Icon for Employee rankEmployee
    Oct 29, 2014
    Where was this disabled? (client ssl profile or server side?) Can you run ssldump on the BIG-IP and check the TLS/SSL version pls?
  • Virtualrana_132's avatar
    Virtualrana_132
    Icon for Nimbostratus rankNimbostratus
    Oct 29, 2014

    It is disabled on the client ssl Profile. My understanding is, when it says "CONNECTED(00000003)" it is connected on port 443. I was looking for "routines:alert handshake failure", but as you can see in the output in my initial post, it wasn't generating that error.

     

    As my other testing says SSLv3 is disabled for that site, I am convinced that the site is no longer vulnerable to POODLE, but I am curious why "openssl s_client -connect www.$clientsite.com.au:443 -ssl3" doesn't give me an Handshake error. I would appreciate any explanation as my linux/Command knowledge is not that great.

     

    ================================

     

    SSL-Session: Protocol : TLSv1.1

     

    Cipher    : RC4-SHA

Session-ID: 861A650AAFF7F48960489067695E1BBA64D861B0E5D3ACEF520973FF2854C965

Session-ID-ctx:

Master-Key: 
130EDF4766DEDF908B0050E207C7C5827592458871C8A5196843E4666446C47BF71FA35801DDF0142043125E853E67A4

Key-Arg   : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1414550303

Timeout   : 300 (sec)

Verify return code: 21 (unable to verify the first certificate)