Forum Discussion

pgermain_71805's avatar
pgermain_71805
Icon for Nimbostratus rankNimbostratus
Apr 04, 2011

iRule to Disable SSL Negotiation

Hello

 

 

I am running 9.4.8 and just applied HF4 in order to use the standard iRule to disable SSL session renegotiation.

 

 

 

when CLIENTSSL_HANDSHAKE {

 

SSL::renegotiate disable

 

}

 

 

Even after this has been applied to a virtual server, a Nessus security scan is able to renegotiate a session with a different cipher. I have looked at captures of this and tend to agree.

 

 

Is there anything else necessary to get this working?

 

 

Many Thanks,

 

 

Paul

 

 

 

  • Paul,

     

     

    Is Nessus testing for SSL session resumption or SSL (midstream) rengotiation? Is Nessus triggering on CVE-2010-4180 (discussed in SOL12543)? If the information there doesn't address your needs, I'd suggest opening a case with F5 Networks Support to get further clarification.

     

     

    ~Paul
  • I know you can restrict your accepted Ciphers in the SSL Profile in v9.4.x.

     

     

    In v10.x.x you can control Renegotiation in the SSL Profile as well. I am not sure when that option was added, but it might be worth looking into to see if the option is there in v9.4.8.

     

     

    If it is then it might offer you an alternative to an iRule.