For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

pgermain_71805's avatar
pgermain_71805
Icon for Nimbostratus rankNimbostratus
Apr 04, 2011

iRule to Disable SSL Negotiation

Hello

 

 

I am running 9.4.8 and just applied HF4 in order to use the standard iRule to disable SSL session renegotiation.

 

 

 

when CLIENTSSL_HANDSHAKE {

 

SSL::renegotiate disable

 

}

 

 

Even after this has been applied to a virtual server, a Nessus security scan is able to renegotiate a session with a different cipher. I have looked at captures of this and tend to agree.

 

 

Is there anything else necessary to get this working?

 

 

Many Thanks,

 

 

Paul

 

 

 

application delivery
dev
devops
iRules

2 Replies

  • Paul_Aurich's avatar
    Paul_Aurich
    Icon for Employee rankEmployee
    Apr 04, 2011
    Paul,

     

     

    Is Nessus testing for SSL session resumption or SSL (midstream) rengotiation? Is Nessus triggering on CVE-2010-4180 (discussed in SOL12543)? If the information there doesn't address your needs, I'd suggest opening a case with F5 Networks Support to get further clarification.

     

     

    ~Paul
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Apr 04, 2011
    I know you can restrict your accepted Ciphers in the SSL Profile in v9.4.x.

     

     

    In v10.x.x you can control Renegotiation in the SSL Profile as well. I am not sure when that option was added, but it might be worth looking into to see if the option is there in v9.4.8.

     

     

    If it is then it might offer you an alternative to an iRule.