Forum Discussion
Mike_Morse_1839
Nimbostratus
NimbostratusThe best ciphersuite
Hi
We host several virtual servers on our LTM and assign SSL profiles to them with certain ciphersuites, I wish to improve them.
My question is, can anyone suggest an appropriate cipher suite to ...
El-Guapo_29797Nimbostratus
NimbostratusI just read SOL 15882 which is what I used to fix my issue on interim. Go to the section of your article.. "Recommendation Action".. then go to BIG-IP 10.x - 11.4.1.. It clearly says to run below which disables !SSLv3, but enable RC4-SHA. There is a reason for that.
create /ltm profile client-ssl TLS-Padding ciphers !SSLv3:RC4-SHA
We have many F5's & finally got our hands on this article as to why TLS patching broke some of our websites: https://devcentral.f5.com/articles/cve-2014-3566-poodle-vs-cve-2014-8730-tls-poodle
Brad_ParkerCirrus
From this article, "With CVE-2014-8730/TLS POODLE there is a code fix, and all of our latest releases have it, starting with 10.2.4 HF10, 11.2.1 HF13, 11.4.0 HF9, 11.4.1 HF6, 11.5.0 HF6, 11.5.1 HF6, and 11.6.0. Upgrading for the fix is the recommended solution, and F5 Networks always recommends upgrading to the latest Hotfix Rollup for a given branch. For those who are unable upgrade at this time, there is a configuration workaround as detailed in SOL15882: In 11.5.0+ use the cipher string !SSLv3:AES-GCM:RC4-SHA In 11.4.1 and earlier use the cipher string !SSLv3:RC4-SHA"