For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Doran_Lum's avatar
Doran_Lum
Icon for Nimbostratus rankNimbostratus
Jun 11, 2020

Host is Vulnerable to Extended Master Secret TLS Extension (TLS triple handshake)

We have a few F5 VIPs on our LTM that have the TLS triple handshake vulnerability as detected by the scan. I was reading the article below and it seems it's enabled by default. Why only some VIPs ar...
BIG-IP
security
boneyard's avatar
boneyard
Icon for MVP rankMVP
Jun 22, 2020

which tmos version are you using?

 

just to make sure, you seeing a difference between SSL enabled VIPs? not between a non SSL and a SSL enabled VIP?

 

as for you last question, yes the setting can only be changed from the CLI, but in general you dont want to change the setting, as it is a way to prevent to tls triple handshake.

 

assuming this comes from qualys this thread is interesting to read:

https://qualys-secure.force.com/discussions/s/question/0D52L00004TnvDPSAZ/regarding-rfc-7627-on-transport-layer-security-tls-session-hash-and-extended-master-secret-extension-will-become-a-mandatory-tls-extension