Forum Discussion
NimbostratusRemove TLS_RSA for PFS?
Given these ciphers supported on an 11.6.2HF1 LTM, if the server is using RSA certificates, to prevent the ROBOT vulnerability, do we just need to remove the (7) TLS_RSA ciphers noted at the end of this list? TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Thank you for your thoughts on how best to proceed.
Simon_BlakelyEmployee
If you are running 11.6.2 HF1, you have already mitigated ROBOT even if you continue to use RSA key Exchange.
K21905460: BIG-IP SSL vulnerability (ROBOT) CVE-2017-6168
Please be aware of the note in K21905460
Note: Fixed BIG-IP versions do not disable RSA key exchange, they eliminate the existing code flaw in our implementation of RSA key exchange. Due to influences outside the control of the BIG-IP system, some SSL rating sites and scanners may falsely report that fixed versions are vulnerable to CVE-2017-6168. In these instances you may want to contact the scanner vendor to report the false positive result.
Suzyw720_345395Thanks very much S.Blakely for your response. I believed I took the necessary mitigation steps & was surprised to see a scanning site provide a false positive. I appreciate you sharing your knowledge. If I may expand on the PFS portion of the question, I just read in another post that "requiring PFS involves setting our clientssl profile cipher string to include only ECDHE and DHE (but not ADH) ciphers and to disallow RSA key exchanges. It can be as simple as setting your cipher string to DEFAULT!RSA or ECDHE:DHE". Does that approach sound correct?
Thanks again for any assistance you might provide. I have a support case open on this, but in all honesty, I don't think I've received the correct response yet, or if so, I may have misunderstood what needed to be done in my instance. I'm looking to make a timely change so that I can rerun the scan to see if I can improve our grade.- Simon_Blakely
Please flag the comment as answering your query, so that other users searching on this issue can find useful answers.
Thanks
- Suzyw720_345395
As a fairly new DevCentral user, I am unsure how to flag the comment as answering my query, but I will attempt to find out how to do so & do it for other users.