Forum Discussion

Dave_Burnett_20's avatar
Dave_Burnett_20
Icon for Nimbostratus rankNimbostratus
Jul 03, 2012

SSL Session Ciphers

Recent testing has identified that our web host allows clients to resume an SSL session with a different cipher to that originally negotiated.     e.g The server allowed the following session ...
app sec
BIG-IP Access Policy Manager (APM)
security
Dave_Burnett_20's avatar
Dave_Burnett_20
Icon for Nimbostratus rankNimbostratus
Jul 03, 2012
A really prompt response ! Thanks for this.

 

 

It may be relevant, but I'm not totally sure?

 

 

This article infers that the F5s are not vulnerable to CVE-2012-4180, which relates to an open-SSL vulnerability allowing the downgrade to a weaker ciphersuite of an SSL session

 

 

So you think, fine, we're OK as we're running one of those versions.

 

 

But then it goes on to say that clients can only change to a cipher that has been enabled on the F5, which seems to suggest that attackers could still change the cipher and use it to attack the webserver session.

 

 

So, do we have a vulnerability or not ?

 

 

And, I suppose my original question is still valid - can the F5 enforce a resumed session to reuse the original cipher ?