Forum Discussion

gijo_342173's avatar
Icon for Nimbostratus rankNimbostratus
Oct 23, 2018

SSL passthrough VIP - mitigating birthday attack

Is it possible to apply a SSL client profile to mitigate on the VIP eventhough the VIP is in SSL passthrough mode this per ?


Are there other possibilities to address this vulnerability on the F5?


  • In passthrough you cannot add any ssl profile i.e.- client or server


8 Replies

  • Can you elaborate on what you need to do and what you're trying to prevent? Are you referring to a hash birthday attack, and if so, which hash?


  • Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)


  • Okay, so the fix here is to disable TLS1 in the client SSL profile. But not sure how this relates to a VIP in SSL passthrough mode. If you want to mitigate TLS1 vulnerabilities at the F5, then you need to minimally apply a client SSL profile that does this, and then you're no longer in passthrough mode.


  • In passthrough you cannot add any ssl profile i.e.- client or server


  • I will be applying the following modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'


    and NOT anything on the SSL client profile as there is no SSL client profile. The risk is this may break any clients that are using TLSv1 for other virtuals.


  • Okay, but do understand that this ONLY affects the BIG-IP configuration (management plane). This has no effect on the TLS traffic flowing through VIPs.