CVE-2014-3566: Removing SSLv3 from BIG-IP
The POODLE (CVE-214-03566) vulnerability can force a client to negotiate SSLv3 instead of TLSv1.x ciphers. Then a BEAST-like attack can be conducted against SSLv3 to obtain information from the encry...
Updated Mar 18, 2022
Version 2.0
Zak_Beck
Nimbostratus
NimbostratusFor me, on 11.4.1, the data plane stuff works. The management plane does not - I get an error:
tmsh modify /sys httpd ssl-ciphersuite 'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!SSLv2:!SSLv3'
01070920:3: Application error for confpp: Syntax OK
Error in cipher list
10147:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1223:
'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!SSLv2:!SSLv3' invalid.
If I try the command without !SSLv3, it works - it appears SSLv3 is not available on 11.4.1. As this is the management plane I'm less concerned about this, but it would be nice to close it off for completeness. We are planning an upgrade to 11.6, hopefully it should work there!