Forum Discussion

Nimbostratus

Nov 06, 2009

mitigating the TLS client-initiated renegotiation MITM attack

I thought I'd share the iRule we use to mitigate one of the recently disclosed TLS attacks. Our focus lies on preventing the possible malicious data insertion during 'client-initiated renegotiation'. ...

Nimbostratus

Aug 27, 2010

Any rule you have *must* prevent renegotiation. If you have completed the renegotiation, the attack has already been successful, at least against the HTTP protocol. The reason is that the server buffers the client request, which is malicious coming from the man-in-the-middle (MiTM). Once renegotiation completes, the server executes the buffered request, which means game over.

So to be truly protected, you need to drop the actual renegotiation attempt. This is why netsekure.org reports you are vulnerable.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

mitigating the TLS client-initiated renegotiation MITM attack

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Illegal Metacharacter in Parameter Name in Json Data

Cisco TACACS+ Config on ISE LTM Pair

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

How can I get started with iCall

Related Content

SSL renegotiation DOS mitigation

SSL Legacy Renegotiation vs Secure Renegotiation Explained using Wireshark

client-initiated SSO issue

SSL Profiles Part 6: SSL Renegotiation

F5 Distributed Cloud L3-L7 DDoS Mitigation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS