For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Parveez_70209's avatar
Parveez_70209
Icon for Nimbostratus rankNimbostratus
Mar 03, 2014

TLS Protocol Session Renegotiation Security Vulnerability Prevention

Hi Team,

 

How to prevent TLS Protocol Session Renegotiation Security Vulnerability Issue ? We have LTM running on version 10x.

 

Thanks and Regards Parveez

 

10 Replies

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Mar 03, 2014

    One thing I'll add is that enabling secure renegotiation on a server SSL profile will break connections if the server isn't patched accordingly. We encountered this for many different applications after upgrading to v11. In an ideal world, all servers would be patched for this renegotiation vulnerability, especially since it's been around for so long, but...

     

    Something to keep in mind when upgrading.

     

    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Mar 03, 2014
      In the server SSL profile configuration, just change 'Secure Renegotiation' to either 'require' or 'require strict'.
  • Parveez_70209's avatar
    Parveez_70209
    Icon for Nimbostratus rankNimbostratus
    Mar 04, 2014

    Hi,

     

    As I shared that our Image is : BIG-IP 10.2.4 Build 817.0 Hotfix HF7 and as per the document shared by Kevin, ours should not be vulnerable as : TLS Protocol Session Renegotiation Security Vulnerability.

     

    Seondly Cory, I tried by modifying : 'Secure Renegotiation' to either 'require' or 'require strict'( into SSL Client Profile). But it didn't helped, after scanning the same again, we got the same Vulnerability again.

     

    Kindly suggest.

     

    Thanks and Regards Parveez

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Mar 04, 2014

    The setting is to enforce secure renegotiation with the server, so you'd need to change that on the server SSL profile.

     

  • Parveez_70209's avatar
    Parveez_70209
    Icon for Nimbostratus rankNimbostratus
    Mar 04, 2014

    We are not using any Server SSL Profile for now. So, incase I create a Server SSL Profile and do that settings, do the end server also should have SSL certificates ?

     

    Will it work ?

     

    Thanks and Regards Parveez

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Mar 04, 2014

    If you are going to apply a server SSL profile, then yes your server will need to be configured with a certificate and to accept SSL connections.

     

    So it sounds like if your scanner is still finding the TLS renegotiation vulnerability after changing your client SSL profile to either 'require' or 'require strict', then it's a false positive.

     

  • Parveez_70209's avatar
    Parveez_70209
    Icon for Nimbostratus rankNimbostratus
    Mar 04, 2014

    Hi Cory,

     

    Yes it seems like a false-positive case as its trying that.

     

    SO, can we ignore this for now, because we dont use server SSL certificates.

     

    Thanks and Regards Parveez