Dave_Burnett_20
Jul 03, 2012Nimbostratus
SSL Session Ciphers
Recent testing has identified that our web host allows clients to resume an SSL session with a different cipher to that originally negotiated.
e.g The server allowed the following session over SSLv3 to be resumed as follows : Session ID : 61ed39e667977078d6740c3b489280d9f62c56eac1bbf8a63eb76fe6d5de5ace
Initial Cipher : SSL3_CK_RSA_RC4_128_SHA (0x0005)
Resumed Cipher : SSL3_CK_RSA_DES_192_CBC3_SHA (0x000a)
We are being told that an attacker managing to locate the start of an SSL connection might be able to manipulate the session cache to cause subsequent resumptions of the session in order to use a cipher chosen by the attacker.
Is there a way the F5 can be configured to enforce resumed SSL sessions into using the originally negotiated cipher or is this purely a web server configuration ?
Many thanks