For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Thiyagu_163984's avatar
Thiyagu_163984
Icon for Nimbostratus rankNimbostratus
Oct 31, 2015

SSL Ciphers

Hi, I'm working on a task to disable SSLv2 connection. I'm going to use NATIVE SSL stack and COMPAT SSL stack and the following command in client profile.

 

native:compat:!sslv2

 

If I'm using both NATIVE and COMPAT SSL stack which SSL stack does the client chose to communicate?

 

If a client is currently using SSLv2 and we deny the request on LB, Does the client re-initiate the session with SSLv3 or TLS?

 

Does the security certificate which we are installing on LB have any algorithm related to SSLv2 or SSLv3 or TLS?

 

Regards, Thiyagu

 

4 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Oct 31, 2015

    Thiyagu,

     

    "If I'm using both NATIVE and COMPAT SSL stack which SSL stack does the client chose to communicate?"

     

    It should negotiate the most secure cipher from either list, which will probably be from the NATIVE stack. To be certain you can add @STRENGTH to your cipher string.

     

    "If a client is currently using SSLv2 and we deny the request on LB, Does the client re-initiate the session with SSLv3 or TLS?"

     

    The existing session would continue as normal but any new TCP connections over SSL would negotiate with SSLv3 and upwards.

     

    "Does the security certificate which we are installing on LB have any algorithm related to SSLv2 or SSLv3 or TLS?"

     

    It doesn't include protocol supportability no.

     

    Moving forward f5 are moving away from COMPAT ciphers as they are less secure and slower (can't be optimised in hardware) and SSLv3 now. I'd recommend you look further ahead than just SSLv2.

     

    Hope this helps,

     

    N

     

  • Thiyagu_163984's avatar
    Thiyagu_163984
    Icon for Nimbostratus rankNimbostratus
    Oct 31, 2015

    Thanks Nathan. I have one more query. Would you please help me to know when the ciphers comes into play of the SSL communication between client and the server?

     

    Regards, Thiyagu

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Oct 31, 2015
      It's all in the SSL Handshake when the client and server negotiate the security of the SSL transaction.There's an excellent series of tech tips by Jason Rahm here: https://devcentral.f5.com/s/articles/ssl-profiles-part-1....mark up if happy
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Oct 31, 2015

    Any particular reason you want to use COMPAT? It is most likely unnecessary. Stick with the NATIVE stack. 

    tmm --clientciphers ''
    will show you what ciphers will be available with your configured cipher string.