SSL Session Ciphers

But then it goes on to say that clients can only change to a cipher that has been enabled on the F5, which seems to suggest that attackers could still change the cipher and use it to attack the webserver session.

 

 

So, do we have a vulnerability or not ?i understand the new cipher has to be allowed by f5 i.e. cipher setting in f5. so, if cipher is configured good enough, i think it could be fine.

 

 

And, I suppose my original question is still valid - can the F5 enforce a resumed session to reuse the original cipher ?i never did but i think it could be possible. for the first connection, we can add ssl session id and cipher to table. and later when connection is resumed, we can drop connection if cipher does not match the one in the table.

 

 

SSL::sessionid wiki

 

https://devcentral.f5.com/wiki/iRules.SSL__sessionid.ashx

 

 

SSL::cipher wiki

 

https://devcentral.f5.com/wiki/iRules.SSL__cipher.ashx

 

 

v10.1 - The table Command by Spark

 

https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/2375/v101--The-table-Command--The-Basics.aspx

 

 

anyway, if you do not allow ssl resume, you can disable cache size.

 

 

sol6767: Overview of the BIG-IP SSL session cache profile settings

 

http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6767.html