Forum Discussion

cisco_01_157892's avatar
cisco_01_157892
Icon for Nimbostratus rankNimbostratus
May 04, 2015

TLS Poodle and RC4 vulnerability : default:!SSLv3:!RC4-SHA

We are running F5 LTM version 11.4.1 hostfix 4 Recently we disabled the RC4 weak CIPHER to remove the Minimal warning from our scan.

 

But due to the recent arrival of Poodle TLS vulnarability we had to introduce !SSLv3:RC4-SHA which brought back the Minimal warning for having RC4 in the acceptable CIPHER.

 

How can we over come this? Removing Poodle TLS padding vulnerability returns RC4 warning

 

  • Pascal_Tene_910's avatar
    Pascal_Tene_910
    Historic F5 Account

    @cisco 01. If you are still experiencing issues on this, I suggest you open a security support case and provide qkview for review.

     

  • Pascal_Tene_910's avatar
    Pascal_Tene_910
    Historic F5 Account

    If you want to mitigate TLS POODLE and RC4 weaknesses at the same time, you will have to upgrade to 11.5.0 or later, then create SSL profile similar to:

     

    tmsh create /ltm profile client-ssl TLS-Padding ciphers !SSLv3:AES-GCM

    Note that above profile will only allow clients that can support AES-GCM ciphers. This is quite limited. and might lead to other issues.

     

    • cisco_01_157892's avatar
      cisco_01_157892
      Icon for Nimbostratus rankNimbostratus
      I just tested it but it does not work .is what the hostfix8 for 11.4.1 is more stable
    • cisco_01_157892's avatar
      cisco_01_157892
      Icon for Nimbostratus rankNimbostratus
      I just tested it but it does not work .is what the hostfix8 for 11.4.1 is more stable