GavinW_29074
May 24, 2012Nimbostratus
SSL Renegotiation on PEN Test???
Hi there
We're currently getting some of our sites which are served through our F5's pen tested...
Our F5's are currently running v11.1.0 HF2.
The PEN test report has flagged the F5's as being vulnerable to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 - An SSL Renegotiation vulnerability...
I've had a search on AskF5 and have come up with a couple of Articles that seem to give differing stances...
SOL10737 (http://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html) suggests that the vulnerability has been patched and therefore we shouldn't be affected. It also states that the default value for 'Renegotiation' on the ClientSSL profile should be Disabled. However on checking our F5's, the default clientssl profile appears to have SSL Renegotiation enabled.
I then found SOL13512 (http://support.f5.com/kb/en-us/solutions/public/13000/500/sol13512.html?sr=21445394), which covers RFC5746 and suggests that the F5's should now support Secure Renegotiation only...
However running a check using SSLLabs (https://www.ssllabs.com/ssltest) I get a warning that says Secure Renegotiation is 'Not Supported'.
So who's right?
And what, if any steps, should I take against the PEN test report???
Swift response appreciated as we're running some more tests over the next few days so can retest if required...
Cheers
Gavin