Forum Discussion
cisco_01_157892
Nimbostratus
NimbostratusTLS Poodle and RC4 vulnerability : default:!SSLv3:!RC4-SHA
We are running F5 LTM version 11.4.1 hostfix 4 Recently we disabled the RC4 weak CIPHER to remove the Minimal warning from our scan.
But due to the recent arrival of Poodle TLS vulnarability we had to introduce !SSLv3:RC4-SHA which brought back the Minimal warning for having RC4 in the acceptable CIPHER.
How can we over come this? Removing Poodle TLS padding vulnerability returns RC4 warning
Leonardo_39231I believe you have to upgrade to a newer version of code that isn't vulnerable. I'm sure someone will correct me if I'm wrong.
https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html
If you want to mitigate TLS POODLE and RC4 weaknesses at the same time, you will have to upgrade to 11.5.0 or later, then create SSL profile similar to:
tmsh create /ltm profile client-ssl TLS-Padding ciphers !SSLv3:AES-GCMNote that above profile will only allow clients that can support AES-GCM ciphers. This is quite limited. and might lead to other issues.
cisco_01_157892I just tested it but it does not work .is what the hostfix8 for 11.4.1 is more stable- cisco_01_157892I just tested it but it does not work .is what the hostfix8 for 11.4.1 is more stable
@cisco 01. If you are still experiencing issues on this, I suggest you open a security support case and provide qkview for review.
