Forum Discussion
Dave_Burnett_20
Jul 03, 2012Nimbostratus
SSL Session Ciphers
Recent testing has identified that our web host allows clients to resume an SSL session with a different cipher to that originally negotiated.
e.g The server allowed the following session ...
Dave_Burnett_20
Jul 03, 2012Nimbostratus
A really prompt response ! Thanks for this.
It may be relevant, but I'm not totally sure?
This article infers that the F5s are not vulnerable to CVE-2012-4180, which relates to an open-SSL vulnerability allowing the downgrade to a weaker ciphersuite of an SSL session
So you think, fine, we're OK as we're running one of those versions.
But then it goes on to say that clients can only change to a cipher that has been enabled on the F5, which seems to suggest that attackers could still change the cipher and use it to attack the webserver session.
So, do we have a vulnerability or not ?
And, I suppose my original question is still valid - can the F5 enforce a resumed session to reuse the original cipher ?
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects