For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

san_239682's avatar
san_239682
Icon for Nimbostratus rankNimbostratus
Apr 26, 2016

Weak SSL cipher vulnerability during website vulnerability test

During a website vulnerability test we have found threat as: RC4 contains several known weaknesses, and cipher suites that use RC4 are considered "weak ciphers".Therefore, the following has been id...
application delivery
LTM
ekaleido's avatar
ekaleido
Icon for Cirrus rankCirrus
Apr 26, 2016

Navigate to the client side SSL profiles you use. Within the Configuration section of each, change the dropdown box from Basic to Advanced. You will see a cipher suites field with the entry "DEFAULT".

I recommend you change it to the following:

ECDHE+AES-GCM:ECDHE+AES:DEFAULT:!TLSv1:!DHE:!RC4:!MD5:!EXPORT:!LOW:!SSLv2

I also recommend adding the following iRule to all of your SSL VIPs as it will help you score an A or better on a Qualys SSL Labs scan:

when HTTP_RESPONSE {

HTTP::header insert Strict-Transport-Security "max-age=31536000; includeSubDomains"

}
ekaleido's avatar
ekaleido
Icon for Cirrus rankCirrus
Apr 26, 2016
Ye it does, but it still allows 1.1 and 1.2.