For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

vvskaladhar_488's avatar
vvskaladhar_488
Icon for Nimbostratus rankNimbostratus
Aug 26, 2015

Enable SSLv3 for VIP on 11.5.1 HF7

Hello All,   recently We upgraded HF7 from HF1 on one of our F5 , after this we observed it completely blocking SSLv3 . Can you please let me know if we have any option to enable SSLv3 for VIP con...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 26, 2015

The absolute easiest option is to modify the Ciphers option in the client SSL profile. SSLv3 is still supported in the NATIVE stack but was removed from the DEFAULT stack (a subset of NATIVE).

DEFAULT:SSLv3

But of course keep in mind that SSLv3 has recently been shown to have some pretty severe vulnerabilities and best practice is to avoid it if at all possible. At the very least also remove support for MD5 and DES-CBC-SHA, and potentially RC4:

DEFAULT:SSLv3:!MD5:!DES-CBC-SHA:!RC4

You can validate this list from the command line with the tmm --clientciphers tool:

tmm --clientciphers 'DEFAULT:SSLv3:!MD5:!DES-CBC-SHA:!RC4'