Forum Discussion

Icon for Nimbostratus rank

Nimbostratus

Mar 04, 2015

iRule to mitigate TLS/SSL FREAK?

In before the crowd: Please respond if you have an iRule to mitigate the FREAK attack on TLS/SSL via RSA-EXPORT. (CVE-2015-0204 on OpenSSL, see also https://www.smacktls.com/freak and http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html )

Also, any word on whether the admin web server in TMOS is affected?

application delivery

Lee_Payne_53457
Mar 04, 2015
Depending on the version of TMOS you're running you may not need to do anything, but I would disable it in the SSL profile rather than an iRule, these items should prevent it (I think): !MD5:!EXP:!EXPORT40

This article talks about disabling ciphers on the management plane: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip

Lee_Payne_53457
Cirrostratus
Mar 04, 2015
Depending on the version of TMOS you're running you may not need to do anything, but I would disable it in the SSL profile rather than an iRule, these items should prevent it (I think): !MD5:!EXP:!EXPORT40

This article talks about disabling ciphers on the management plane: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
- Thorsten_90558
  Nimbostratus
  Mar 04, 2015
  Thanks! You are right, as long as the BigIP functions as an LTM in full proxy and doesn't just pass the traffic through, the SSL Profile is the right place to configure this. I wasn't thinking :)
shaggy_121467
Cumulonimbus
Mar 04, 2015
Depending on your BIGIP software level, the DEFAULT cipher-suite may already have you covered: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171

I believe the MD5 and EXPORT ciphers have been disabled in the DEFAULT cipher list since v10.2
- Thorsten_90558
  Nimbostratus
  Mar 04, 2015
  Right you are, they do. That's excellent.
shaggy
Nimbostratus
Mar 04, 2015
Depending on your BIGIP software level, the DEFAULT cipher-suite may already have you covered: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171

I believe the MD5 and EXPORT ciphers have been disabled in the DEFAULT cipher list since v10.2
- Thorsten_90558
  Nimbostratus
  Mar 04, 2015
  Right you are, they do. That's excellent.
shaggy_121467
Cumulonimbus
Mar 04, 2015
Check out https://devcentral.f5.com/articles/getting-freak-y-with-big-ip
- Thorsten_90558
  Nimbostratus
  Mar 05, 2015
  Thank you for the link, that's a great writeup!
shaggy
Nimbostratus
Mar 04, 2015
Check out https://devcentral.f5.com/articles/getting-freak-y-with-big-ip
- Thorsten_90558
  Nimbostratus
  Mar 05, 2015
  Thank you for the link, that's a great writeup!
cjbarr1234
Altostratus
Mar 04, 2015
I went through this a while ago.. Give this a shot:

https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming