Forum Discussion

Dave_Burnett_20's avatar
Dave_Burnett_20
Icon for Nimbostratus rankNimbostratus
Jul 03, 2012

SSL Session Ciphers

Recent testing has identified that our web host allows clients to resume an SSL session with a different cipher to that originally negotiated.     e.g The server allowed the following session ...
app sec
BIG-IP Access Policy Manager (APM)
security
Dave_Burnett_20's avatar
Dave_Burnett_20
Icon for Nimbostratus rankNimbostratus
Jul 03, 2012
If I'm reading you correctly you're saying that the enforcement of using the origional cipher is possible by a combination of i-rules?

 

 

This is an area I'm not too familiar with as we've not used them very extensively at all in our current LTM/ASM setup.

 

 

Looking at the links you've kindly provided it appears that on the initial https connection we should add the cipher version ( SSL::cipher version ) to the session table so that it links to the session ID. Is that correct ? However, I'm brave enough to admit I wouldn't know the full i-rule to write to achieve this.

 

 

Then I think you're saying that, should the connection be resumed (but how would you know it had been resumed, does it use the same session ID ?) you would write an i-rule to examine the cipher version of the resumed connection and compare it to the original. If the ciphers were different the connection woul be dropped. Again, I wouldn't know how to begin writing that i-rule !

 

 

Thanks for your help so far. I wouldn't blame you if you walked away now ! but if you're an i-rule expert and know the syntax required I'd be most grateful for further assistance.