Forum Discussion
GavinW_29074
May 24, 2012Nimbostratus
SSL Renegotiation on PEN Test???
Hi there
We're currently getting some of our sites which are served through our F5's pen tested...
Our F5's are currently running v11.1.0 HF2.
The PEN test report has flagged the F5's as being vulnerable to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 - An SSL Renegotiation vulnerability...
I've had a search on AskF5 and have come up with a couple of Articles that seem to give differing stances...
SOL10737 (http://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html) suggests that the vulnerability has been patched and therefore we shouldn't be affected. It also states that the default value for 'Renegotiation' on the ClientSSL profile should be Disabled. However on checking our F5's, the default clientssl profile appears to have SSL Renegotiation enabled.
I then found SOL13512 (http://support.f5.com/kb/en-us/solutions/public/13000/500/sol13512.html?sr=21445394), which covers RFC5746 and suggests that the F5's should now support Secure Renegotiation only...
However running a check using SSLLabs (https://www.ssllabs.com/ssltest) I get a warning that says Secure Renegotiation is 'Not Supported'.
So who's right?
And what, if any steps, should I take against the PEN test report???
Swift response appreciated as we're running some more tests over the next few days so can retest if required...
Cheers
Gavin
- jwham20NimbostratusAh, the pen test circle of death. It's like an elementry school game of he said, she said.... who do you believe? Believe your own eyes.
- jwham20NimbostratusAlso, since you're on 11.1.0, you should have:
- GavinW_29074NimbostratusJosh
list /ltm profile client-ssl clientssl ltm profile client-ssl clientssl { alert-timeout 60 allow-non-ssl disabled app-service none authenticate once authenticate-depth 9 ca-file none cache-size 262144 cache-timeout 3600 cert default.crt chain none ciphers DEFAULT client-cert-ca none crl-file none handshake-timeout 60 key default.key mod-ssl-methods disabled mode enabled options { dont-insert-empty-fragments } passphrase none peer-cert-mode ignore proxy-ssl disabled renegotiate-max-record-delay 10 renegotiate-period indefinite renegotiate-size indefinite renegotiation disabled secure-renegotiation require server-name none sni-default false sni-require false strict-resume disabled unclean-shutdown enabled }
- jwham20NimbostratusGavin,
- jwham20NimbostratusGavin,
- GavinW_29074NimbostratusJosh
- jwham20NimbostratusGav,
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects