For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

El-Guapo_29797's avatar
El-Guapo_29797
Icon for Nimbostratus rankNimbostratus
Mar 04, 2015

I just read SOL 15882 which is what I used to fix my issue on interim. Go to the section of your article.. "Recommendation Action".. then go to BIG-IP 10.x - 11.4.1.. It clearly says to run below which disables !SSLv3, but enable RC4-SHA. There is a reason for that.

 

create /ltm profile client-ssl TLS-Padding ciphers !SSLv3:RC4-SHA

 

We have many F5's & finally got our hands on this article as to why TLS patching broke some of our websites: https://devcentral.f5.com/articles/cve-2014-3566-poodle-vs-cve-2014-8730-tls-poodle

 

  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Mar 04, 2015
    From this article, "With CVE-2014-8730/TLS POODLE there is a code fix, and all of our latest releases have it, starting with 10.2.4 HF10, 11.2.1 HF13, 11.4.0 HF9, 11.4.1 HF6, 11.5.0 HF6, 11.5.1 HF6, and 11.6.0. Upgrading for the fix is the recommended solution, and F5 Networks always recommends upgrading to the latest Hotfix Rollup for a given branch. For those who are unable upgrade at this time, there is a configuration workaround as detailed in SOL15882: In 11.5.0+ use the cipher string !SSLv3:AES-GCM:RC4-SHA In 11.4.1 and earlier use the cipher string !SSLv3:RC4-SHA"