on 14-Oct-201416:24 - edited on 18-Mar-202210:06 by JRahm
The POODLE (CVE-214-03566) vulnerability can force a client to negotiate SSLv3 instead of TLSv1.x ciphers. Then a BEAST-like attack can be conducted against SSLv3 to obtain information from the encrypted stream. This isn't necessarily a new attack, and there has been some speculation about how feasible attacks like BEAST are in the real world, but POODLE makes BEAST much easier.
F5 has analyzed the situation and recommends customers disable SSLv3 when possible. This article will give you the information you need to disable SSLv3. Please also consult the official F5 SOL 15702.
Background SOL8802 provides a starting point for information about TLS on a BIG-IP. It has many links to help you change your cipher specifications for the different versions of BIG-IP. I’ll be making references to many of the linked SOLutions in this article. Second, please read my article from last year about cipher selection. If you disable SSLv3 ciphers, you may be locking out some legacy clients. Wikipedia has a great table for SSL/TLS browser support. Always test to make sure that you haven’t blocked legitimate clients. If you know of legacy SSLv3 clients, you may want to upgrade them as soon as possible.
On a BIG-IP, SSL/TLS is used in multiple ways, including for the data plane and to the management GUI This posting will cover both of these vectors. Finally, we’ll talk about outbound connections from a BIG-IP, including monitors.
Data plane In 11.5.0, F5 made the decision to be secure by default and disable SSLv3 ciphers by default for the traffic path. This is documented in SOL15022. If you are running 11.5.0 or later, your default clientssl and serverssl profiles do not contain SSLv3 ciphers and SSLv3 cannot be negotiated. If your SSL profile derives from these profiles, your application is not vulnerable. On all versions, you can disable SSLv3 ciphers by adding the string “!SSLv3” to your clienssl or serverssl profile. The procedure to change your ciphers is well described in SOL 13171. Please note that by default all clientssl and serverssl profiles inherit from the base profiles. If you have changed your ciphers in any of your SSL profiles, you will have to add “!SSLv3” to those profiles' cipher lists also.
Management plane BIG-IP has a management GUI that is contacted over SSL. By default, SSLv3 ciphers are enabled on all releases. This is configurable and covered in SOL 13405. To remove SSLv3 from 11.5.x and 11.6.x, you can disable SSLv3 via the command console like this:
[root@bigip1:Active:Standalone] templates # tmsh list /sys httpd
sys httpd {
ssl-protocol "all -SSLv2"
}
[root@bigip1:Active:Standalone] templates # tmsh modify /sys httpd ssl-protocol "all -SSLv2 -SSLv3"
We are still working on a comprehensive solution for versions prior to 11.5.x.
Outbound connections Many outbound connections are made by BIG-IP, including monitors. These may use SSLv3, but are not full fledged browsers and make single connections rather than the multiple transactions required for the attack. We believe these connections are not vulnerable.
Testing for SSLv3 connections You can test for SSLv3 is enabled with a simple command line from a machine with OpenSSL installed.
# openssl s_client -connect target:443 -ssl3
If the command makes you enter more information, then you just made an SSLv3 connection. If the command returns you to a prompt right away, then SSLv3 is disabled on that target host.
Conclusion F5 has not seen this attack in the wild. The security community has known about BEAST and similar attacks for some time. F5 took the first step to removing SSLv3 in 11.5.0. We will continue to make “secure by default” choices for future versions.
Would enabling "no sslv3" option and not modifying the cipher string, disable cipher strings utilizing SSLv3? For example I have a profile which has "default" set as its cipher string, and some may contain others, depending on the profile, can I just update the base profile to use option no sslv3 and would that overwrite everything else regarding sslv3 or do I need to even update the cipher string to default:!sslv3.
For me, on 11.4.1, the data plane stuff works. The management plane does not - I get an error:
tmsh modify /sys httpd ssl-ciphersuite 'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!SSLv2:!SSLv3'
01070920:3: Application error for confpp: Syntax OK
Error in cipher list
10147:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1223:
'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!SSLv2:!SSLv3' invalid.
If I try the command without !SSLv3, it works - it appears SSLv3 is not available on 11.4.1. As this is the management plane I'm less concerned about this, but it would be nice to close it off for completeness. We are planning an upgrade to 11.6, hopefully it should work there!
Ciphers are not protocols. Disabling a "SSLv3" cipher is not the same as disabling the SSLv3 protocol. @Jason Rahm has the right idea, disable the whole SSLv3 protocol using the "No SSLv3" option in your base "clientssl" profile. That way it (should) automatically apply to everything the F5 provides offload for, no extra work needed.
@JCMATTOS to view your protocol connection counts globally run:
Below pulls out the SSL/TLS/DTLS metrics
tmsh show ltm profile client-ssl global | egrep "Version|TLS"
Below pulls out the Profile and SSL/TLS/DTLS metrics:
tmsh show ltm profile client-ssl all | egrep "Ltm|Version|TLS"
Also to reset Client SSL metrics and gather in real time run:
tmsh reset-stats ltm profile client-ssl
The re-run the above commands
How can I analyze the connections made? It would be useful if I could get metrics on just how many SSLv3 connections are negotiated before decided on how I should mitigate it. Is there a way to report on such connections?
If you are scared you could redirect Clients connected via SSLv3 to a error page:
when HTTP_REQUEST {
if { [SSL::cipher version] eq "SSLv3" } {
HTTP::respond 302 Location "http://errorURL" noserver
}
}
SSL profiles have the options list, where "No SSLv3" can be selected to disable SSLv3. Similarly, "No TLSv1" can also be selected to disable TLSv1.0 (for the question asked by jddimas).
SSL profiles have the options list, where "No SSLv3" can be selected to disable SSLv3 on all traffic using that profile. Similarly, the option "No TLSv1" can be selected to disable all TLS1.0 traffic, if so desired (as asked by jddimas above).
Addressing Rishabh's question:
If the "No SSLv3" option is enabled, then the cipher string modification is not required.
Also, to address your point of modifying the base profile: If a base profile is modified in this manner, all profiles inherited from that base profile will take the same affect.
I should also mention that v11.5.0 onwards, SSLv3 is not included in the DEFAULT ciphersuites.
Tested on 11.4.0 and 11.4.1 (this is not official): Edit the file /config/httpd/conf.d/ssl.conf: line 'SSLProtocol all' to: 'SSLProtocol all -SSLv2 -SSLv3'. then: 'bigstart httpd restart'.
•Google intends to remove SSL 3.0 fallback support from its clients, such as Chrome (http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites-exploiting-ssl-30.html)
•Slack (https://twitter.com/SlackHQ/status/522287581862457345) and Twitter (https://twitter.com/twittersecurity/status/522190947782643712) no longer support SSL 3.0.
•Mozilla (https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/) will kill Firefox’s support for SSL 3.0 in version 34, due November 25.
•Tor (https://lists.torproject.org/pipermail/tor-talk/2014-October/035228.html), designed to aid online anonymity, does not in itself support SSL 3.0, but its Firefox-based browser does and will also need updating. The post gives instructions on disabling SSL 3.0 manually.
>Edit the file /config/httpd/conf.d/ssl.conf: line 'SSLProtocol all' to: 'SSLProtocol all -SSLv2 -SSLv3'. then: 'bigstart httpd restart'.
But after the reboot, ssl.conf reverts to old conf...
For those that are on version 10.2.3 - 10.2.4 and are unable to break away from SSLv3 the following cipher may be helpful. What it does is offer up the Default F5 Ciphers for your version and negates the use of RC4 (CVE-2013-2566), and CBC/CBC3 (CVE-2014-3566) ciphers, orders according to strength, and yet still allows for some usage of the SSLv3 protocol. This won't get you any awards with your clients that are looking for the complete removal of SSLv3, but will allow you to assess your usage and migrate. Also if any of your clients run a security scan it will most likely will come up with low grade and vulnerable (Example Qualys SSL Labs) because they are not looking at which ciphers you are using. Last but not least, if you want to support IE 6 you will need to remove the negation of RC4 (not recommended).
DEFAULT:!RC4:!DES-CBC3-SHA:@STRENGTH
Note: In general use caution when running the tmm command. I have caused a box to crash and reboot by not providing the correct options on another unrelated command. What this command does is show you the yield of your client cipher settings. This is extremely helpful to know what you are offering up based on what you set in your SSL profiles cipher setting.
[mytypedoverusername@lab-lb1:Active] ~ tmm --clientciphers 'DEFAULT:!RC4:!DES-CBC3-SHA:@STRENGTH'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 53 AES256-SHA 256 SSL3 Native AES SHA RSA
1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
2: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
3: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
4: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
5: 47 AES128-SHA 128 SSL3 Native AES SHA RSA
6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
7: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
8: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
9: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
my F5 version is 10.2.4 LTM
I tried to try the command to test SSL3, my dump screen as follow
openssl s_client -connect target:443 -ssl3
getaddrinfo: Name or service not known
connect:errno=2
What's result mean?
Is it possible to add an iRule that logs if someone negotiates on sslv3... we would like to know approximately how many endusers we will end up dropping if we disable SSLv3.
Thanks!
Before you disable SSLv3 on your servers, verify that the version you are running supports TLS monitors. Monitors run out of OpenSSL which is different from payload (unless you are using COMPAT which I believe forces the use of OpenSSL for payload as well. Run openssl ciphers -v 'ALL:!SSLv2' and see what is available for monitors.
Concerning my last comment related to monitors, I found that even though OpenSSL found in older code like 10.2.4 does not show TLS as an option. It does support TLS for monitors.
Is there a way to fallback CVE-2014-3566 (SSLv3+SSLv2)? I followed the steps (https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html) for 10.2.4 HF11 version and now I will enable again SSLv3 and SSLv2, how can I do this? I couldn’t find any documentation. Thank you in advance!
I think sslv3 is removed from v11.5.3 onwards. I tried enable "no sslv3" it still returns "secure renegotiation IS NOT suppported" when I run "openssl s_client -connect target:port -ssl3"
