Forum Discussion
Robert_Roman_14
Nimbostratus
NimbostratusNew Cipher for TLS1.x Padding Vulnerability
Currently, we have our client ssl profile set with the following cipher string:
!SSLv3:!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED
We have been tasked by our infoSec department to correct ...
The issue for CVE-2014-8730 is not that there is a problem with TLS1.x. Rather, there is a problem in the implementation of Padding when using block ciphers in CBC mode. That is why it is recommended to use RC4 which is stream cipher or only use block ciphers in GCM (Galois Counter Mode) which does not use CBC mode.
The best solution at the moment is to upgrade to a version where the padding issue is fixed. Currently 11.5.1 HF7, 11.4.1 HF7 (yes HF7) or 11.6.0 HF3, are the versions I would recommend. CVE-2014-8730 is fixed in these versions, then you will just need to disable SSLv3 for the configuration utility as suggested in SOL15702, in order to mitigate poodle.