Forum Discussion
Dave_Burnett_20
Jul 03, 2012Nimbostratus
SSL Session Ciphers
Recent testing has identified that our web host allows clients to resume an SSL session with a different cipher to that originally negotiated.
e.g The server allowed the following session ...
nitass
Jul 03, 2012Employee
But then it goes on to say that clients can only change to a cipher that has been enabled on the F5, which seems to suggest that attackers could still change the cipher and use it to attack the webserver session.
So, do we have a vulnerability or not ?i understand the new cipher has to be allowed by f5 i.e. cipher setting in f5. so, if cipher is configured good enough, i think it could be fine.
And, I suppose my original question is still valid - can the F5 enforce a resumed session to reuse the original cipher ?i never did but i think it could be possible. for the first connection, we can add ssl session id and cipher to table. and later when connection is resumed, we can drop connection if cipher does not match the one in the table.
SSL::sessionid wiki
https://devcentral.f5.com/wiki/iRules.SSL__sessionid.ashx
SSL::cipher wiki
https://devcentral.f5.com/wiki/iRules.SSL__cipher.ashx
v10.1 - The table Command by Spark
https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/2375/v101--The-table-Command--The-Basics.aspx
anyway, if you do not allow ssl resume, you can disable cache size.
sol6767: Overview of the BIG-IP SSL session cache profile settings
http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6767.html
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects