Forum Discussion
gijo_342173
Nimbostratus
NimbostratusSSL passthrough VIP - mitigating birthday attack
Is it possible to apply a SSL client profile to mitigate on the VIP eventhough the VIP is in SSL passthrough mode this per https://support.f5.com/csp/article/K13092 ?
Are there other possibilities to address this vulnerability on the F5?
In passthrough you cannot add any ssl profile i.e.- client or server
gijo_342173the code is 11.5.4
- Kevin_Stewart
Employee
Can you elaborate on what you need to do and what you're trying to prevent? Are you referring to a hash birthday attack, and if so, which hash?
- gijo_342173
Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
- gijo_342173
https://support.f5.com/csp/article/K13400
I am thinking the fix is to disable everything except TLS1 and RC4 per the above however this may impact all other VIPs. I have a feeling without addressing the traffic on other virtual's am risking breaking some applications.
- Kevin_Stewart
Okay, so the fix here is to disable TLS1 in the client SSL profile. But not sure how this relates to a VIP in SSL passthrough mode. If you want to mitigate TLS1 vulnerabilities at the F5, then you need to minimally apply a client SSL profile that does this, and then you're no longer in passthrough mode.
gs_366906Altocumulus
In passthrough you cannot add any ssl profile i.e.- client or server
- gijo_342173
I will be applying the following modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'
and NOT anything on the SSL client profile as there is no SSL client profile. The risk is this may break any clients that are using TLSv1 for other virtuals.
- Kevin_Stewart
Okay, but do understand that this ONLY affects the BIG-IP configuration (management plane). This has no effect on the TLS traffic flowing through VIPs.
