For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

GavinW_29074's avatar
GavinW_29074
Icon for Nimbostratus rankNimbostratus
May 24, 2012

SSL Renegotiation on PEN Test???

Hi there     We're currently getting some of our sites which are served through our F5's pen tested...     Our F5's are currently running v11.1.0 HF2.     The PEN test report has f...
security
GavinW_29074's avatar
GavinW_29074
Icon for Nimbostratus rankNimbostratus
May 24, 2012
Josh

Cheers for your response...

I found a similar test on one of the sites I stumbled upon, and in order to get the error response, I had to disable the Renegotiation option in the clientssl profile...

So that to me suggests that insecure client renegotiation is enabled by default...

I got similar results on this site: http://netsekure.org/2009/11/tls-renegotiation-test/

Running against one of our sites with 'Renegotiation' enabled in the ClientSSL profile, I get:

Connecting to x:443

Site supports secure renegotiation!

Sending partial HTTP request

Trying to renegotiate

Site allows client initiated renegotiation!

Unpatched servers allowing client initiated renegotitation are vulnerable to a variation of the TLS MiTM attack.

Disabling 'Renegotiation' on the same site gives:

Connecting to x:443

Site supports secure renegotiation!

Sending partial HTTP request

Trying to renegotiate

Failed to renegotiate, site is not vulnerable

So I'm mighty confused at the moment...

It also appears that SSLabs does test for Secure Negotiation, but it claims that it's Not Supported on the F5's with either 'Renegotiation' enabled OR disabled...

Our default clientssl currently looks like: 

  list /ltm profile client-ssl clientssl
ltm profile client-ssl clientssl {
    alert-timeout 60
    allow-non-ssl disabled
    app-service none
    authenticate once
    authenticate-depth 9
    ca-file none
    cache-size 262144
    cache-timeout 3600
    cert default.crt
    chain none
    ciphers DEFAULT
    client-cert-ca none
    crl-file none
    handshake-timeout 60
    key default.key
    mod-ssl-methods disabled
    mode enabled
    options { dont-insert-empty-fragments }
    passphrase none
    peer-cert-mode ignore
    proxy-ssl disabled
    renegotiate-max-record-delay 10
    renegotiate-period indefinite
    renegotiate-size indefinite
    renegotiation disabled
    secure-renegotiation require
    server-name none
    sni-default false
    sni-require false
    strict-resume disabled
    unclean-shutdown enabled
}

Will try and find out what software they're using for the Pen test and post back...

Cheers

Gavin