Host is Vulnerable to Extended Master Secret TLS Extension (TLS triple handshake)

Question

We have a few F5 VIPs on our LTM that have the TLS triple handshake vulnerability as detected by the scan.

I was reading the article below and it seems it's enabled by default. Why only some VIPs are detected and the other F5 VIP doesn't seem to be affected ?

And the option to disabled it is only through putty ?

https://support.f5.com/csp/article/K66202244

boneyard · Answer

which tmos version are you using?&nbsp;just to make sure, you seeing a difference between SSL enabled VIPs? not between a non SSL and a SSL enabled VIP?&nbsp;as for you last question, yes the setting can only be changed from the CLI, but in general you dont want to change the setting, as it is a way to prevent to tls triple handshake.&nbsp;assuming this comes from qualys this thread is interesting to read:https://qualys-secure.force.com/discussions/s/question/0D52L00004TnvDPSAZ/regarding-rfc-7627-on-transport-layer-security-tls-session-hash-and-extended-master-secret-extension-will-become-a-mandatory-tls-extension

Forum Discussion

Host is Vulnerable to Extended Master Secret TLS Extension (TLS triple handshake)

Recent Discussions

NetScaler to F5 Migration

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Related Content

SSL Orchestrator Service Extensions: User Coaching

F5 CIS, TLS Extensions, and troubleshooting

Mitigating Apache Camel Vulnerability CVE-2025–27636 with F5 Products

F5 Cloud Failover Extension (CFE), private endpoints, and custom DNS

SSL Profiles Part 1: Handshakes

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS