For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

san_239682's avatar
san_239682
Icon for Nimbostratus rankNimbostratus
Apr 26, 2016

Weak SSL cipher vulnerability during website vulnerability test

During a website vulnerability test we have found threat as: RC4 contains several known weaknesses, and cipher suites that use RC4 are considered "weak ciphers".Therefore, the following has been id...
application delivery
LTM
ekaleido_26616's avatar
ekaleido_26616
Icon for Cirrocumulus rankCirrocumulus
Apr 26, 2016

Navigate to the client side SSL profiles you use. Within the Configuration section of each, change the dropdown box from Basic to Advanced. You will see a cipher suites field with the entry "DEFAULT".

I recommend you change it to the following:

ECDHE+AES-GCM:ECDHE+AES:DEFAULT:!TLSv1:!DHE:!RC4:!MD5:!EXPORT:!LOW:!SSLv2

I also recommend adding the following iRule to all of your SSL VIPs as it will help you score an A or better on a Qualys SSL Labs scan:

when HTTP_RESPONSE {

HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains"

}
  • san_239682's avatar
    san_239682
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2016
    Thank you Ekaleido Just to confirm !TLSv1 disables using the version TLSv1 on SSL profile right?
  • ekaleido_26616's avatar
    ekaleido_26616
    Icon for Cirrocumulus rankCirrocumulus
    Apr 26, 2016
    Ye it does, but it still allows 1.1 and 1.2.
  • san_239682's avatar
    san_239682
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2016
    Is this vulnerability associated only with using TLSV1 or with any other issues
  • ekaleido_26616's avatar
    ekaleido_26616
    Icon for Cirrocumulus rankCirrocumulus
    Apr 26, 2016
    Only TLSv1. 1.1 and 1.2 are good.