CVE-2014-3566 POODLE vs. CVE-2014-8730 TLS POODLE

At F5 Networks we have seen a good deal of confusion over these two CVEs ever since they appeared late last year. As this is ongoing, we felt it needs to be addressed. The confusion is totally unders...
Published Feb 17, 2015
Version 1.0
BIG-IP
f5 sirt
security
TMOS
MegaZone's avatar
MegaZone
Icon for SIRT rankSIRT
Jul 06, 2015
sandevsingh - You want to use '!SSLv3:AES-GCM:RC4-SHA' First, SSLv3 is only disabled *BY DEFAULT*. If you change the cipher string, it may no longer be disabled - and, in fact, in this case if you just used 'AES-GCM:RC4-SHA' you would re-enable it as RC4-SHA exists in SSLv3. So you'd end up enabling RC4-SHA for *all* protocols that have it, including SSLv3. Since you're replacing the cipher string you need to be careful about what gets re-enabled. You can check it with "tmm --clientciphers '!SSLv3:AES-GCM:RC4-SHA'" vs. "tmm --clientciphers 'AES-GCM:RC4-SHA'" As for the negation, it only applies to SSLv3. The '!' only applies to one term, not the whole string. !SSLv3:AES-GCM:RC4-SHA means HARD DISABLE SSLv3, ENABLE AES-GCM, and ENABLE RC4-SHA. So what you're left with are AES-GCM & RC4-SHA enabled for TLS. No other ciphers are enabled - so all CBC-mode ciphers are implicitly disabled. You're just enabling the non-CBC ciphers and leaving the rest out.