Forum Discussion
Thorsten_90558
Nimbostratus
NimbostratusiRule to mitigate TLS/SSL FREAK?
In before the crowd: Please respond if you have an iRule to mitigate the FREAK attack on TLS/SSL via RSA-EXPORT. (CVE-2015-0204 on OpenSSL, see also https://www.smacktls.com/freak and http://blog.cry...
Depending on the version of TMOS you're running you may not need to do anything, but I would disable it in the SSL profile rather than an iRule, these items should prevent it (I think): !MD5:!EXP:!EXPORT40
This article talks about disabling ciphers on the management plane: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
Lee_Payne_53457
Cirrostratus
CirrostratusDepending on the version of TMOS you're running you may not need to do anything, but I would disable it in the SSL profile rather than an iRule, these items should prevent it (I think): !MD5:!EXP:!EXPORT40
This article talks about disabling ciphers on the management plane: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
Thorsten_90558Thanks! You are right, as long as the BigIP functions as an LTM in full proxy and doesn't just pass the traffic through, the SSL Profile is the right place to configure this. I wasn't thinking :)