Problem ssl validation

Question

hello, I have a problem with an ssl validator, in https://validator.w3.org/feed/

Ciphers: DEFAULT:!RSA

https://validator.w3.org/feed/ Error (Server returned [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:727)

sslabs Calification B

removing :!RSA

Ciphers: DEFAULT:!LOW:!RC4:!MD5:!SHA1:!ADH:!DHE:!DES:!3DES:!EXP

https://validator.w3.org/feed/ ok

sslabs Calification F (sslab recommend removing RSA)

This server is vulnerable to the Return Of Bleichenbacher's Oracle Threat (ROBOT) vulnerability. Grade set to F. MORE INFO »

BIG-IP SSL vulnerability

version. BIG-IP 11.6.0 Build 5.0.429 Hotfix HF5

Any ideas, what may be happening?

thanks

samir · Answer

Client SSL profile may be vulnerable to an Bleichenbacher attack against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself, aka a ROBOT attack. Inorder to correct you need to disable !RSA algorithm from cipher list.

It will help you to increase the ssl rating. I would suggest to add below cipher in client ssl profile( try in non prod application)

DEFAULT:ECDHE:!RSA:!DHE:!3DES

Hope it will help you.

Referenc link https://support.f5.com/csp/article/K21905460

Forum Discussion

Problem ssl validation

Recent Discussions

Reporting Help Needed

Switch ssl profile based on weak cipher detection via IRULE

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

full-proxy HTTP2

Related Content

iRule to accept client then SSL cert validation

Update Template Validity

TLSv1.3 validation not showing in SSL Labs

Source_Addr Persistence Problems

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS