Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
Jeff_Costlow_10
Historic F5 Account

The POODLE (CVE-214-03566) vulnerability can force a client to negotiate SSLv3 instead of TLSv1.x ciphers. Then a BEAST-like attack can be conducted against SSLv3 to obtain information from the encrypted stream. This isn't necessarily a new attack, and there has been some speculation about how feasible attacks like BEAST are in the real world, but POODLE makes BEAST much easier.

F5 has analyzed the situation and recommends customers disable SSLv3 when possible.
This article will give you the information you need to disable SSLv3. Please also consult the official F5 SOL 15702.

Background
SOL8802 provides a starting point for information about TLS on a BIG-IP. It has many links to help you change your cipher specifications for the different versions of BIG-IP. I’ll be making references to many of the linked SOLutions in this article.
Second, please read my article from last year about cipher selection.
If you disable SSLv3 ciphers, you may be locking out some legacy clients. Wikipedia has a great table for SSL/TLS browser support. Always test to make sure that you haven’t blocked legitimate clients. If you know of legacy SSLv3 clients, you may want to upgrade them as soon as possible.

On a BIG-IP, SSL/TLS is used in multiple ways, including for the data plane and to the management GUI This posting will cover both of these vectors. Finally, we’ll talk about outbound connections from a BIG-IP, including monitors.

Data plane
In 11.5.0, F5 made the decision to be secure by default and disable SSLv3 ciphers by default for the traffic path. This is documented in SOL15022.
If you are running 11.5.0 or later, your default clientssl and serverssl profiles do not contain SSLv3 ciphers and SSLv3 cannot be negotiated. If your SSL profile derives from these profiles, your application is not vulnerable.
On all versions, you can disable SSLv3 ciphers by adding the string “!SSLv3” to your clienssl or serverssl profile.
The procedure to change your ciphers is well described in SOL 13171.
Please note that by default all clientssl and serverssl profiles inherit from the base profiles. If you have changed your ciphers in any of your SSL profiles, you will have to add “!SSLv3” to those profiles' cipher lists also.

Management plane
BIG-IP has a management GUI that is contacted over SSL. By default, SSLv3 ciphers are enabled on all releases.
This is configurable and covered in SOL 13405. To remove SSLv3 from 11.5.x and 11.6.x, you can disable SSLv3 via the command console like this:

[root@bigip1:Active:Standalone] templates # tmsh list /sys httpd
sys httpd {
    ssl-protocol "all -SSLv2"
}
[root@bigip1:Active:Standalone] templates # tmsh modify /sys httpd ssl-protocol "all -SSLv2 -SSLv3"

We are still working on a comprehensive solution for versions prior to 11.5.x.

Outbound connections
Many outbound connections are made by BIG-IP, including monitors. These may use SSLv3, but are not full fledged browsers and make single connections rather than the multiple transactions required for the attack. We believe these connections are not vulnerable.

Testing for SSLv3 connections
You can test for SSLv3 is enabled with a simple command line from a machine with OpenSSL installed.

# openssl s_client -connect target:443 -ssl3

If the command makes you enter more information, then you just made an SSLv3 connection. If the command returns you to a prompt right away, then SSLv3 is disabled on that target host.

Conclusion
F5 has not seen this attack in the wild. The security community has known about BEAST and similar attacks for some time. F5 took the first step to removing SSLv3 in 11.5.0. We will continue to make “secure by default” choices for future versions.

Comments
JRahm
Community Manager
Community Manager
In lieu of altering your cipher string, you can also enable "No SSLv3" from the options list.
JRahm
Community Manager
Community Manager
You can test externally against your sites with https://www.ssllabs.com/ssltest/index.html as well.
Nathan_Bultman_
Historic F5 Account
SOL15702 has been posted to track this. https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html
Mike_Maher
Nimbostratus
Nimbostratus
Is there a way to do TLS_FALLBACK_SCSV, the Transport Layer Security Signalling Cipher Suite Value with the SSL profiles on the Big-IP?
jddimas_131808
Nimbostratus
Nimbostratus
In version BIG-IP 10.2.3 Build 112.0 Final, once I disable this I am pretty much left with TLSv1.0 and 1.2. How do I disable TLSv1.0 and keep 1.2?
Rishabh_Gupta_7
Nimbostratus
Nimbostratus
Would enabling "no sslv3" option and not modifying the cipher string, disable cipher strings utilizing SSLv3? For example I have a profile which has "default" set as its cipher string, and some may contain others, depending on the profile, can I just update the base profile to use option no sslv3 and would that overwrite everything else regarding sslv3 or do I need to even update the cipher string to default:!sslv3.
Zak_Beck
Nimbostratus
Nimbostratus
For me, on 11.4.1, the data plane stuff works. The management plane does not - I get an error: tmsh modify /sys httpd ssl-ciphersuite 'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!SSLv2:!SSLv3' 01070920:3: Application error for confpp: Syntax OK Error in cipher list 10147:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1223: 'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!SSLv2:!SSLv3' invalid. If I try the command without !SSLv3, it works - it appears SSLv3 is not available on 11.4.1. As this is the management plane I'm less concerned about this, but it would be nice to close it off for completeness. We are planning an upgrade to 11.6, hopefully it should work there!
Xylene_UK_11374
Nimbostratus
Nimbostratus
tmsh modify /sys httpd ssl-ciphersuite 'ALL:!EXPORT40:!EXP:!LOW!:SSLv3' can you verify if that's good? seems to work on 11.4.x
Xylene_UK_11374
Nimbostratus
Nimbostratus
tmsh modify /sys httpd ssl-ciphersuite 'ALL:!EXPORT40:!EXP:!LOW:!SSLv3' that works in 11.4.x can you verify its good?
Jeff_Costlow_10
Historic F5 Account
TLS_FALLBACK_SCSV is not currently implemented for the data plane. It is on the roadmap and being evaluated.
Drew_Northup
Nimbostratus
Nimbostratus
Ciphers are not protocols. Disabling a "SSLv3" cipher is not the same as disabling the SSLv3 protocol. @Jason Rahm has the right idea, disable the whole SSLv3 protocol using the "No SSLv3" option in your base "clientssl" profile. That way it (should) automatically apply to everything the F5 provides offload for, no extra work needed.
JCMATTOS_41723
Nimbostratus
Nimbostratus
Is there a way to view all the F5 services or connections using SSLv3 to do an inventory count?
Walter_Kacynski
Cirrostratus
Cirrostratus
What is the timeline to support TLS_FALLBACK_SCSV?
jba3126
Cirrus
Cirrus
Any recommendations for version 10.x for the management GUI?
jba3126
Cirrus
Cirrus
@JCMATTOS to view your protocol connection counts globally run: Below pulls out the SSL/TLS/DTLS metrics tmsh show ltm profile client-ssl global | egrep "Version|TLS" Below pulls out the Profile and SSL/TLS/DTLS metrics: tmsh show ltm profile client-ssl all | egrep "Ltm|Version|TLS" Also to reset Client SSL metrics and gather in real time run: tmsh reset-stats ltm profile client-ssl The re-run the above commands
Mike_Sullivan_2
Nimbostratus
Nimbostratus
How can I analyze the connections made? It would be useful if I could get metrics on just how many SSLv3 connections are negotiated before decided on how I should mitigate it. Is there a way to report on such connections?
Mike_Sullivan_2
Nimbostratus
Nimbostratus
Sorry, I missed Jeff Allen's post on metrics below. That will do it for showing version activity.
Wand_97484
Nimbostratus
Nimbostratus
If you are scared you could redirect Clients connected via SSLv3 to a error page: when HTTP_REQUEST { if { [SSL::cipher version] eq "SSLv3" } { HTTP::respond 302 Location "http://errorURL" noserver } }
Neha_51838
Historic F5 Account
SSL profiles have the options list, where "No SSLv3" can be selected to disable SSLv3. Similarly, "No TLSv1" can also be selected to disable TLSv1.0 (for the question asked by jddimas).
Neha_51838
Historic F5 Account
SSL profiles have the options list, where "No SSLv3" can be selected to disable SSLv3 on all traffic using that profile. Similarly, the option "No TLSv1" can be selected to disable all TLS1.0 traffic, if so desired (as asked by jddimas above).
Neha_51838
Historic F5 Account
Addressing Rishabh's question: If the "No SSLv3" option is enabled, then the cipher string modification is not required. Also, to address your point of modifying the base profile: If a base profile is modified in this manner, all profiles inherited from that base profile will take the same affect. I should also mention that v11.5.0 onwards, SSLv3 is not included in the DEFAULT ciphersuites.
Deepak123_16590
Nimbostratus
Nimbostratus
what we should do if we running 9.2.x?
Deepak__M_K_165
Nimbostratus
Nimbostratus
Is the version 9.2.x is vulnarable or do f5 have a fix ?
Riley_Schuit_82
Historic F5 Account
Tested on 11.4.0 and 11.4.1 (this is not official): Edit the file /config/httpd/conf.d/ssl.conf: line 'SSLProtocol all' to: 'SSLProtocol all -SSLv2 -SSLv3'. then: 'bigstart httpd restart'.
Neha_51838
Historic F5 Account
•Google intends to remove SSL 3.0 fallback support from its clients, such as Chrome (http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites-exploiting-ssl-30.html) •Slack (https://twitter.com/SlackHQ/status/522287581862457345) and Twitter (https://twitter.com/twittersecurity/status/522190947782643712) no longer support SSL 3.0. •Mozilla (https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/) will kill Firefox’s support for SSL 3.0 in version 34, due November 25. •Tor (https://lists.torproject.org/pipermail/tor-talk/2014-October/035228.html), designed to aid online anonymity, does not in itself support SSL 3.0, but its Firefox-based browser does and will also need updating. The post gives instructions on disabling SSL 3.0 manually.
YosYam_100630
Nimbostratus
Nimbostratus
>Edit the file /config/httpd/conf.d/ssl.conf: line 'SSLProtocol all' to: 'SSLProtocol all -SSLv2 -SSLv3'. then: 'bigstart httpd restart'. But after the reboot, ssl.conf reverts to old conf...
jba3126
Cirrus
Cirrus
For those that are on version 10.2.3 - 10.2.4 and are unable to break away from SSLv3 the following cipher may be helpful. What it does is offer up the Default F5 Ciphers for your version and negates the use of RC4 (CVE-2013-2566), and CBC/CBC3 (CVE-2014-3566) ciphers, orders according to strength, and yet still allows for some usage of the SSLv3 protocol. This won't get you any awards with your clients that are looking for the complete removal of SSLv3, but will allow you to assess your usage and migrate. Also if any of your clients run a security scan it will most likely will come up with low grade and vulnerable (Example Qualys SSL Labs) because they are not looking at which ciphers you are using. Last but not least, if you want to support IE 6 you will need to remove the negation of RC4 (not recommended). DEFAULT:!RC4:!DES-CBC3-SHA:@STRENGTH Note: In general use caution when running the tmm command. I have caused a box to crash and reboot by not providing the correct options on another unrelated command. What this command does is show you the yield of your client cipher settings. This is extremely helpful to know what you are offering up based on what you set in your SSL profiles cipher setting. [mytypedoverusername@lab-lb1:Active] ~ tmm --clientciphers 'DEFAULT:!RC4:!DES-CBC3-SHA:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 3: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 4: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 5: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 8: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 9: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
William_Ng_55_1
Nimbostratus
Nimbostratus
my F5 version is 10.2.4 LTM I tried to try the command to test SSL3, my dump screen as follow openssl s_client -connect target:443 -ssl3 getaddrinfo: Name or service not known connect:errno=2 What's result mean?
pi11_72182
Nimbostratus
Nimbostratus
Is it possible to add an iRule that logs if someone negotiates on sslv3... we would like to know approximately how many endusers we will end up dropping if we disable SSLv3. Thanks!
John_Heyer_1508
Cirrostratus
Cirrostratus
I upgraded to 11.5.1 HF6 and SSL labs now reports that TLS_FALLBACK_SCSV is supported. Didn't see anything about it in the release notes. Weird.
Mike_Dayton_108
Nimbostratus
Nimbostratus
Before you disable SSLv3 on your servers, verify that the version you are running supports TLS monitors. Monitors run out of OpenSSL which is different from payload (unless you are using COMPAT which I believe forces the use of OpenSSL for payload as well. Run openssl ciphers -v 'ALL:!SSLv2' and see what is available for monitors.
Mike_Dayton_108
Nimbostratus
Nimbostratus
Concerning my last comment related to monitors, I found that even though OpenSSL found in older code like 10.2.4 does not show TLS as an option. It does support TLS for monitors.
Fotis_191218
Nimbostratus
Nimbostratus
Is there a way to fallback CVE-2014-3566 (SSLv3+SSLv2)? I followed the steps (https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html) for 10.2.4 HF11 version and now I will enable again SSLv3 and SSLv2, how can I do this? I couldn’t find any documentation. Thank you in advance!
ckwok
Nimbostratus
Nimbostratus
I think sslv3 is removed from v11.5.3 onwards. I tried enable "no sslv3" it still returns "secure renegotiation IS NOT suppported" when I run "openssl s_client -connect target:port -ssl3"
Version history
Last update:
‎18-Mar-2022 10:06
Updated by: