Get the latest updates on how F5 mitigates Heartbleed Hi Team, I know this question is eventually going to be asked - I may as well do it. With the news today about the Heartbleed OpenSSL Vulnerability (http://heartbleed.com) I wanted to confirm if we are at any risk. All of my LTM V11 and V10 instances are running OpenSSL 0.9.8x which does not appear to be a vulnerable version of OpenSSL... Does the F5 hook into this when we Sign/Request SSL Certs? If so we're sitting pretty, right? Thanks. Updates based on feedback: ul Update 2: F5 have published a security advisory on this issue - http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

I'm also interested in F5's official stance on this.

What versions of the OpenSSL are affected? Status of different versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable veriosn 11.3/11.4 uses openssl 0.9.8, run openssl version on cli to confirm

if you want to test you could use http://filippo.io/Heartbleed/

My 11.5.0 comes back as not vulnerable.

You can check if you are retuning the TLS heartbeat extension using the following from bash: openssl s_client -connect google.com:443 -tlsextdebug 2>&1| grep 'server extension "heartbeat" (id=15)' || echo safe It with return the extension if affected, otherwise "Safe". If it does return the extension, check your version of OpenSSL ...This should be no-one running an F5 I don't think.

OpenSSL and Heart Bleed Vuln

Kip_Young_DL_14
Nimbostratus
Apr 08, 2014
I'm also interested in F5's official stance on this.
Ferg_104721
Nimbostratus
Apr 08, 2014
What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable

veriosn 11.3/11.4 uses openssl 0.9.8, run openssl version on cli to confirm
Ferg_104721
Nimbostratus
Apr 08, 2014
if you want to test you could use

http://filippo.io/Heartbleed/
- Beinhard_8950
  Nimbostratus
  Apr 08, 2014
  Some other testtool that you run by yourself. https://gist.github.com/sh1n0b1/10100394 http://s3.jspenguin.org/ssltest.py
- BinaryCanary_19
  Historic F5 Account
  Apr 08, 2014
  It's easy to know if you're vulnerable to this: You are running an affected openssl version. You can simply run "openssl version" on the CLI.
- boneyard
  MVP
  Apr 08, 2014
  that onyl shows half of the picture in some cases and isnt always possible with appliances.
James_Deucker_2
Historic F5 Account
Apr 08, 2014
My 11.5.0 comes back as not vulnerable.
- BinaryCanary_19
  Historic F5 Account
  Apr 08, 2014
  By default, only native ciphers are used.
- Kiozs_131042
  Altocumulus
  Apr 11, 2014
  how did you test it out ? we did test last 2 days ago, V11.5.0 management access is vulnerable.
squip_86995
Nimbostratus
Apr 08, 2014
You can check if you are retuning the TLS heartbeat extension using the following from bash:

openssl s_client -connect google.com:443 -tlsextdebug 2>&1| grep 'server extension "heartbeat" (id=15)' || echo safe

It with return the extension if affected, otherwise "Safe". If it does return the extension, check your version of OpenSSL ...This should be no-one running an F5 I don't think.
- wbbigdave_97776
  Nimbostratus
  Apr 08, 2014
  From what are you running this bash?
- squip_86995
  Nimbostratus
  Apr 08, 2014
  From my workstation
- Frank__30499
  Nimbostratus
  Apr 08, 2014
  The string just before the pipe symbol is translated. It should be 2>&1 to tie stderr to stdout.
gsdeol_34170
Nimbostratus
Apr 08, 2014
Hi Guys, I have one question, whether the F5s use Openssl for SSL offloading functionality? Or is it just a tool installed on the F5s to use for SSL testing.

Thanks
Ferg_104721
Nimbostratus
Apr 08, 2014
To the question about offload, it is my understanding that the openssl is used for csr and cert creation but not for the offloading functionality.
Jason_Keating
Altostratus
Apr 08, 2014
According to SOL14457 11.5.0 uses 1.0.1e which is vulnerable http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14457.html

Apparently 1.0.1g or greater addresses the vuln.

I would also like to know (for sure) if OpenSSL is used for offloading, James comment above that his 11.5.0 appears not subject to the vulnerability suggests it's not ... regardless I imagine a patch is needed.
What_Lies_Bene1
Cirrostratus
Apr 08, 2014
Whether OpenSSL is used or not will depend on the cipher string in your SSL profiles. If you're using the DEFAULT or NATIVE strings or something else that only uses native ciphers then OpenSSL is NOT used and the Cavium offload card (and related proprietary SSL/TLS software) is. If you're using something else (a compat cipher) then OpenSSL is. ~~A cipher string specifying any compat cipher, even if the rest are native, will result in OpenSSL being used.~~ <

Find the definitive list here and modify your profiles accordingly: http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html.

Also remember that you'll get much better performance if you only use native ciphers.
Sean_82866
Nimbostratus
Apr 08, 2014
It's important to note that the management console is also vulnerable, making the question of whether your individual hosts are exposed moot for some installations.

Hopefully F5 will give us some good news this morning.
- What_Lies_Bene1
  Cirrostratus
  Apr 08, 2014
  True, but you'd hope the management interface is on a pretty secure, private network rather than a public facing one.