New Cipher for TLS1.x Padding Vulnerability

Nimbostratus

Dec 22, 2014

I'm struggling to follow F5s logic in the referenced article. TLSv1.x is still available in the cipher string they recommend

tmm --clientciphers '!SSLv3:RC4-SHA'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:   5 RC4-SHA                         128  TLS1  Native RC4    SHA    RSA   
 1:   5 RC4-SHA                         128  TLS1.2  Native RC4    SHA    RSA

If you take your original string you have this list of supported ciphers

 tmm --clientciphers '!SSLv3:!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:   5 RC4-SHA                         128  TLS1  Native RC4    SHA    RSA   
 1:   5 RC4-SHA                         128  TLS1.2  Native RC4    SHA    RSA   
 2:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA   
 3:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA   
 4:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA   
 5:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA   
 6:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA   
 7:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA   
 8:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA   
 9:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA   
10:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA   
11:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA   
12:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA

So if you just simply add :!TLSv1 to your existing cipher string you get the following set of supported ciphers minus the TLSv1.x that is subject to the CVE article.

tmm --clientciphers '!SSLv3:!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED:!TLSv1'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:   5 RC4-SHA                         128  TLS1.2  Native RC4    SHA    RSA   
 1:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA   
 2:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA   
 3:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA   
 4:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA   
 5:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA   
 6:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA   
 7:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA   
 8:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA

Or am I missing something here ?

Forum Discussion

New Cipher for TLS1.x Padding Vulnerability

Recent Discussions

loose login access when license expires

पेटीएम कस्टमर केयर नंबर

मैं शिकायत के लिए मीशो से कैसे संपर्क करूं?

Implementing Multi-Step Authentication with Separate Brute-Force Protections

IMAP-S External Health monitor

Related Content

CVE-2014-8730 Padding issue

Cipher Suites Supported (12.1.5.3)

Cipher Suite Practices and Pitfalls

Coordinated Vulnerability Disclosure: A Balanced Approach

LTM Cipher rule

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS