CVE-2014-3566: Removing SSLv3 from BIG-IP
The POODLE (CVE-214-03566) vulnerability can force a client to negotiate SSLv3 instead of TLSv1.x ciphers. Then a BEAST-like attack can be conducted against SSLv3 to obtain information from the encry...
Updated Mar 18, 2022
Version 2.0Jeff_Costlow_10
Historic F5 Account
Joined January 26, 2005
Jeff_Costlow_10
Historic F5 Account
Joined January 26, 2005
jba3126
Oct 23, 2014Cirrostratus
For those that are on version 10.2.3 - 10.2.4 and are unable to break away from SSLv3 the following cipher may be helpful. What it does is offer up the Default F5 Ciphers for your version and negates the use of RC4 (CVE-2013-2566), and CBC/CBC3 (CVE-2014-3566) ciphers, orders according to strength, and yet still allows for some usage of the SSLv3 protocol. This won't get you any awards with your clients that are looking for the complete removal of SSLv3, but will allow you to assess your usage and migrate. Also if any of your clients run a security scan it will most likely will come up with low grade and vulnerable (Example Qualys SSL Labs) because they are not looking at which ciphers you are using. Last but not least, if you want to support IE 6 you will need to remove the negation of RC4 (not recommended).
DEFAULT:!RC4:!DES-CBC3-SHA:@STRENGTH
Note: In general use caution when running the tmm command. I have caused a box to crash and reboot by not providing the correct options on another unrelated command. What this command does is show you the yield of your client cipher settings. This is extremely helpful to know what you are offering up based on what you set in your SSL profiles cipher setting.
[mytypedoverusername@lab-lb1:Active] ~ tmm --clientciphers 'DEFAULT:!RC4:!DES-CBC3-SHA:@STRENGTH'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 53 AES256-SHA 256 SSL3 Native AES SHA RSA
1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
2: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
3: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
4: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
5: 47 AES128-SHA 128 SSL3 Native AES SHA RSA
6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
7: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
8: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
9: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA