Forum Discussion
iRule to mitigate TLS/SSL FREAK?
In before the crowd: Please respond if you have an iRule to mitigate the FREAK attack on TLS/SSL via RSA-EXPORT. (CVE-2015-0204 on OpenSSL, see also https://www.smacktls.com/freak and http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html )
Also, any word on whether the admin web server in TMOS is affected?
Depending on the version of TMOS you're running you may not need to do anything, but I would disable it in the SSL profile rather than an iRule, these items should prevent it (I think): !MD5:!EXP:!EXPORT40
This article talks about disabling ciphers on the management plane: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
- cjbarr1234Altostratus
I went through this a while ago.. Give this a shot:
https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
- shaggy_121467Cumulonimbus
- Thorsten_90558NimbostratusThank you for the link, that's a great writeup!
- shaggyNimbostratus
- Thorsten_90558NimbostratusThank you for the link, that's a great writeup!
- shaggy_121467Cumulonimbus
Depending on your BIGIP software level, the DEFAULT cipher-suite may already have you covered: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171
I believe the MD5 and EXPORT ciphers have been disabled in the DEFAULT cipher list since v10.2
- Thorsten_90558NimbostratusRight you are, they do. That's excellent.
- shaggyNimbostratus
Depending on your BIGIP software level, the DEFAULT cipher-suite may already have you covered: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171
I believe the MD5 and EXPORT ciphers have been disabled in the DEFAULT cipher list since v10.2
- Thorsten_90558NimbostratusRight you are, they do. That's excellent.
- Lee_Payne_53457Cirrostratus
Depending on the version of TMOS you're running you may not need to do anything, but I would disable it in the SSL profile rather than an iRule, these items should prevent it (I think): !MD5:!EXP:!EXPORT40
This article talks about disabling ciphers on the management plane: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
- Thorsten_90558NimbostratusThanks! You are right, as long as the BigIP functions as an LTM in full proxy and doesn't just pass the traffic through, the SSL Profile is the right place to configure this. I wasn't thinking :)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com