For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Huw_37537's avatar
Huw_37537
Icon for Nimbostratus rankNimbostratus
Nov 28, 2017

SSLv3, TLS1.0 and cipherstrings...

Running v11.6.1. I've tried searching for an answer to this question, which surely must have been asked before, but too many different topics use the same search criteria and I find myself getting in...
LTM
security
sslv3
ltwagnon's avatar
ltwagnon
Ret. Employee
Nov 28, 2017

When a client sends a "Client Hello" message to the server, it sends a list of cipher suites that it supports. The idea is that one of those cipher suites is also supported by the server, and typically the strongest cipher suite is the one chosen for the TLS session. The client SSL profile lists the cipher suites that the BIG-IP (server) will support. For the TLS handshake, the server gets to decide what cipher suite will be used. So, in the case of a BIG-IP having a client SSL profile that has the "!SSLv3" added, this means that the BIG-IP will not offer any cipher suite that has SSLv3 in it. So, even if the client sends a list of cipher suites that include SSLv3, the server (BIG-IP) will not choose any of those because they won't match any of the server-side cipher suites. Instead, the server (BIG-IP) will negotiate a different cipher suite from the client.

 

Here's an article/video that might help as well: https://devcentral.f5.com/articles/whiteboard-wednesday-breaking-down-the-tls-handshake