Forum Discussion
SergeyAU_168519
Nimbostratus
NimbostratusLogjam and FREAK using BIG-IP 9.4.3 - please help!
Hello Have a number of sites running on the old BIG-IP 9.4.3 box that business just does not want to upgrade We have mitigated the previous SSL vulnerabilities by setting the SSL profile ciphers to DEFAULT:!SSLv3 and its only talking TLS 1.0 now.
Was checking the site in SSLLABS today and its a big, fat, red F =(
- This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam)
- This server supports 512-bit export suites and might be vulnerable to the FREAK attack
I know its old, but is there anything can be done to keep it going? Below is SSL LABS reported:
1 Reply
David_StoutYou could try using profile string 'RSA+AES:!SSLv3' ..... That's about the only option you have I think
[a-dstout@ltm13:Active:In Sync] ~ tmm --clientciphers 'RSA+AES:!SSLv3' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 3: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 4: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 5: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 8: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 9: 47 AES128-SHA 128 DTLS1 Native AES SHA RSAThat or decide that the business deserves to fall on its a** out of sheer ignorance lol
