For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

uni's avatar
uni
Icon for Altocumulus rankAltocumulus
Apr 29, 2014

More on SSLLabs rating - Secure Client-Initiated Renegotiation

bkhowson posted a nice article recently on getting the A+ rating for SSLLabs server test. Using this, I now have an A+ rating on the site. There is one thing left bugging me though, it reports "...
application delivery
LTM
security
TMOS
nitass's avatar
nitass
Icon for Employee rankEmployee
Apr 29, 2014

can you try to disable renegotiation?

 

e.g.

 

 renegotiation is enabled (default)

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 9
}

[root@centos1 ~] openssl s_client -connect 172.28.24.10:443
CONNECTED(00000003)
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify return:1
---
Certificate chain
 0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
   i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgICBYgwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTESMBAGA1UEChMJTXlDb21w
YW55MQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVbG9jYWxob3N0LmxvY2FsZG9tYWlu
MSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0x
MzExMTcwODU2MzdaFw0yMzExMTUwODU2MzdaMIGYMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoTCU15Q29tcGFueTEL
MAkGA1UECxMCSVQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcG
CSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLsBpv7ujDWm7N1sDVquV+a5gWGF2lz+1u
TXhhvEJMlEYlorCK4EKQDfGjQGhfiq00GRWB+pAethEjMinyopaFGmqvxg+eZYYK
9lF1rb3r6vP0oUymL1lWCwvu9V1GKEN2sXovfdSv3LVIPLGf8xfW3HnGdF3A8cYl
WQDWfkc7GjFI3mZ4GHUzMko5cs2N5oU2q2G3gE8nxdKYwy3VTzXWvM+Q6o+0/n2V
i8jPgReWx8JvY+ybq1mBOJZpyxbRN3ddvLmLR4IpCEUT0uALittt10ZQ4uUpbNdq
XMoX8L8ser9fLx1L3R4Gqo6/DRaBOYn8scfLpgG408yzP9l2hKpNAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAFvYeMufu/bAf2tnPZvtlT9TgXudi45l7hN3fqLdvEey
33i+Os2ZOLbzKLPKTQ3DT74MCNwOPkGgiM4SS4eN2B3VROeX1UDmUJR/MK3I1qZQ
yn0icotAQhyPKIK44VubarB9hT4u30ZBzBWq0nqec4M4RJGJbshIfWYnt+lJUzyG
s22ul1p4N47mBvzFaHOLK3CEJcRVLx99HiMKZ9OT+XIEDZYwqBU/nhovPt+lowly
9aMRzNBCdTXaCDtOYuHbllsog4bonSPY1vm7ta9F204mp2cUkowMKtfRGD7XmVeK
VfmAwb5c8bCTHozfvydcwmfdjiSoYq9aiuEDNMvrj/E=
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1113 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 457BB7CC171B4139E605CD1C37DF7A0F18B4E399A2581AC7F190A8740FC3DCF1
    Session-ID-ctx:
    Master-Key: CE63065E8426FA7BE9D632B319EFFE4D5EA884891466706E39264AB8A9AD98942216F4F025DE20580A19160FDB2A0086
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1398746038
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
R
RENEGOTIATING
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify return:1

 renegotiation is disabled

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        myclientssl {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 9
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    cert-key-chain {
        default {
            cert default.crt
            key default.key
        }
    }
    defaults-from clientssl
    inherit-certkeychain true
    renegotiation disabled
}

[root@centos1 ~] openssl s_client -connect 172.28.24.10:443
CONNECTED(00000003)
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify return:1
---
Certificate chain
 0 s:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
   i:/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgICBYgwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTESMBAGA1UEChMJTXlDb21w
YW55MQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVbG9jYWxob3N0LmxvY2FsZG9tYWlu
MSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0x
MzExMTcwODU2MzdaFw0yMzExMTUwODU2MzdaMIGYMQswCQYDVQQGEwJVUzELMAkG
A1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoTCU15Q29tcGFueTEL
MAkGA1UECxMCSVQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcG
CSqGSIb3DQEJARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLsBpv7ujDWm7N1sDVquV+a5gWGF2lz+1u
TXhhvEJMlEYlorCK4EKQDfGjQGhfiq00GRWB+pAethEjMinyopaFGmqvxg+eZYYK
9lF1rb3r6vP0oUymL1lWCwvu9V1GKEN2sXovfdSv3LVIPLGf8xfW3HnGdF3A8cYl
WQDWfkc7GjFI3mZ4GHUzMko5cs2N5oU2q2G3gE8nxdKYwy3VTzXWvM+Q6o+0/n2V
i8jPgReWx8JvY+ybq1mBOJZpyxbRN3ddvLmLR4IpCEUT0uALittt10ZQ4uUpbNdq
XMoX8L8ser9fLx1L3R4Gqo6/DRaBOYn8scfLpgG408yzP9l2hKpNAgMBAAEwDQYJ
KoZIhvcNAQEFBQADggEBAFvYeMufu/bAf2tnPZvtlT9TgXudi45l7hN3fqLdvEey
33i+Os2ZOLbzKLPKTQ3DT74MCNwOPkGgiM4SS4eN2B3VROeX1UDmUJR/MK3I1qZQ
yn0icotAQhyPKIK44VubarB9hT4u30ZBzBWq0nqec4M4RJGJbshIfWYnt+lJUzyG
s22ul1p4N47mBvzFaHOLK3CEJcRVLx99HiMKZ9OT+XIEDZYwqBU/nhovPt+lowly
9aMRzNBCdTXaCDtOYuHbllsog4bonSPY1vm7ta9F204mp2cUkowMKtfRGD7XmVeK
VfmAwb5c8bCTHozfvydcwmfdjiSoYq9aiuEDNMvrj/E=
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1113 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 457BB7CC171B413AE605CD1C37DF7B0F93CF6BA1292392CFF190A8740FC3DCCE
    Session-ID-ctx:
    Master-Key: F62821AA6B19FFFC0960A2BD9DB155E285F450D93CB73FD6936D124E2FA938ADFABFDEBDC63CE3C11914B9966606B01D
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1398746099
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
R
RENEGOTIATING
16040:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40
16040:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: