For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

GavinW_29074's avatar
GavinW_29074
Icon for Nimbostratus rankNimbostratus
May 24, 2012

SSL Renegotiation on PEN Test???

Hi there     We're currently getting some of our sites which are served through our F5's pen tested...     Our F5's are currently running v11.1.0 HF2.     The PEN test report has f...
security
jwham20's avatar
jwham20
Icon for Nimbostratus rankNimbostratus
May 24, 2012
Ah, the pen test circle of death. It's like an elementry school game of he said, she said.... who do you believe? Believe your own eyes.

 

 

Snag a Linux box and run the following test:

 

 

openssl s_client -connect :

 

 

It will connect, you'll see some cert data, then a blinking cursor. Type a capitol R and hit enter, soon you'll see:

 

 

RENEGOTIATING

 

 

If you get an error:

 

RENEGOTIATING

 

13627:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1102:SSL alert number 40

 

13627:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:539:

 

 

 

If you get:

 

RENEGOTIATING

 

depth=0 /C=US/ST=WA/L=S/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain

 

verify error:num=18:self signed certificate

 

verify return:1

 

depth=0 /C=US/ST=WA/L=S/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain

 

verify return:1

 

 

You have renegotiation turned on.

 

13618:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:539:

 

 

Hope it helps.

 

 

-Joshm