Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

SSLv3 POODLE mitigation recommendations

Jeff_Costlow_10
Historic F5 Account

on ‎24-Oct-2014 09:48

In our previous post, we discussed POODLE and legacy SSLv3 clients.

The best solution to POODLE is to disable SSLv3.
However, SSLv3 often can’t be disabled because legacy clients only speak SSLv3.

F5’s security teams have done some investigation, and we believe that using the RC4 can be used as POODLE mitigation for those legacy clients. RC4 is a stream cipher and is not vulnerable to the POODLE attack.

RC4 does have a known weakness. After hundreds of millions of messages, an attacker could recover the plaintext.

POODLE can recover information after only tens of thousands of attacks.

So even though RC4 is not recommended as a cipher, it remains more secure to use in SSLv3 sessions than AES-CBC.

If you cannot disable SSLv3, you may enable RC4-SHA only for use in SSLv3 sessions until you are able to replace all the legacy clients.

To configure your virtual server to only allow SSLv3 RC4-SHA, use a cipher string like the following:
"default:-RC4:-SSLv3:SSLv3+RC4-SHA"

“Default” sets the default ciphers, “-RC4" removes any ciphers that contain RC4 (this is optional). "-SSLv3” removes any SSLv3 ciphers, but “SSLv3+RC4-SHA” re-enables only the RC4-SHA cipher from SSLv3. Any client connecting via SSL3 will be forced to use RC4 rather than a CBC cipher that is vulnerable to POODLE.

See SOL 13171 for information on setting your cipher string.

There are known attacks against RC4 that are better than brute-force. But given POODLE, RC4 is the most secure SSLv3 cipher.
It is still recommended to disable SSLv3 and RC4 once you are able to remove all legacy clients.

Labels:
0 Kudos
Comments
Ian_124377
Nimbostratus
Nimbostratus
‎12-Nov-2014 03:37
I had one proposed solution. What about modifying client SSL profiles, and change the 'Cache Size' to a smaller value. This would require SSL renegotiation evey X requests. So, wouldn't that provide a better alternative to removing ciphers? This is just a thought. I would be interested in hearing others opinions on this.
0 Kudos
AKB_184311
Nimbostratus
Nimbostratus
‎26-Jan-2015 19:54
Hi.. Guided by your article, I am using following setting in my Nginx: ssl_ciphers "AES128+EECDH:AES128+EDH:!aNULL:-RC4:-SSLv3:SSLv3+RC4-SHA"; SSLLabs testing shows though the clients which don't have support for TLS e.g. IE/WinXP do use RC4 on SSLv3 to get connected but even those clients which don't use SSLv3 but use TLS 1.0 (and not TLS v1.2) e.g. IE 8-10/Win 7, IE8/XP, all Android < 4.4 start using RC4. Without the "-RC4:-SSLv3:SSLv3+RC4-SHA" part in above setting, they use stronger ciphers.
0 Kudos
Version history
Last update:
‎24-Oct-2014 09:48
Updated by:
Contributors
Copyright © 2023 Khoros, LLC