Forum Discussion
Stefan_Klotz
Cumulonimbus
CumulonimbusUpdate openssl version separately???
Hi there, I'd like to ask you this time if there is any possibility to update the openssl version without updating the TMOS. Right now the affected boxes are running 10.1.0 HF2 with openssl 0.9.8e, but we need openssl 0.9.8q or later (due to the vulnerability CVE-2010-4180). As shown in third party software matrix, this is only available from TMOS version 11.x and I want to know if it's possible to stay with TMOS version 10.x and update openssl separately. Thank you!
Ciao Stefan :)
boneyardMVP
as far as i know you shouldn't, it might be possible but i doubt F5 is going to support your device afterwards. to get a definitive answer i would ask support btw.
What_Lies_Bene1Cirrostratus
I'd concur, you might manage to do the install but it's very likely something will break.
If you chose the correct native cipher strings, OpenSSL be used anyway and performance will be better. Let me know if you want more information around that.
- Stefan_Klotz
Hi What Lies Beneath, do you mean that the OpenSSL vulnerability can be fixed with a correct cipher string? Then yes, please let me know. Thank you!
Ciao Stefan :)
- What_Lies_Bene1
Well, it doesn't fix OpenSSL, but it avoids it and thus mitigates the risk. The cipher string to use to avoid using compat ciphers (and thus OpenSSL) for your version would be:
.!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEEDNote when you move to v10.2 or later, you no longer need to do this, the default ciphers only include native ciphers.
- Stefan_Klotz
Hi What Lies Beneath, this sounds like a solution for us. But can you please explain shortly the difference between compact and native ciphers? I already played a little bit with different/dedicated ciphers, but wasn't aware which parameters will result in using which encryption tool. Thank you!
Ciao Stefan :)
- What_Lies_Bene1
This article should tell you all you need to know: http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13187.html.
"The BIG-IP SSL profiles can use ciphers from two different SSL stacks; the NATIVE stack is built into TMM, and the COMPAT stack is based on the OpenSSL library. The NATIVE stack is an optimized SSL stack which the BIG-IP system can use to leverage hardware acceleration. F5 recommends that you use the NATIVE stack, as it is suitable for most SSL connections."
It looks like you can just use the NATIVE cipher string to avoid using OpenSSL.
- ckoeber
Altostratus
I have currently had the same question (7 years later), whether it is possible to update the OpenSSL version in the LTMs without TMOS update, since it is also old and actually deprecated in the current BIG-IP versions.
I open a Service Request #C3461941 with F5 support:
Dear F5 support,
I'd like to ask you this time if there is any possibility to update the openssl version without updating the TMOS itself. Right now the affected boxes are running 13.1.3.4-0.181.5 with openssl-1.0.1l-1.f5.10.0.181.5.
As shown in third party software matrix https://support.f5.com/csp/article/K65097545, this is only included in TMOS version 13.1.3 and I want to know if it's possible to stay with TMOS version 13.1.3 and update openssl separately to latest release 1.1.1 which is only now maintained and supported until 2023-09-11: https://en.wikipedia.org/wiki/OpenSSL
As well the newest release 16.x is running on old outdated openssl-1.0.2u which was supported until 2019-12-31: https://support.f5.com/csp/article/K48851448
I got this feedback:
Unfortunately there is no way for you to upgrade OpenSSL separately on a BIG-IP device.
F5 has numerous instances of OpenSSL on the device which include:
BaseOS, TMOS, iRulesLX (NodeJS), iRulesLX (NodeJS), APM Client, APM Server and OAM (About to EOL).
F5 Network is currently running OpenSSL 1.0.1l across most support platforms for most BIG-IP components.
We already have a development plan in place to next update to OpenSSL 1.1.1 (sub-version TBA) which has no scheduled ETA yet.
