cancel
Showing results for 
Search instead for 
Did you mean: 

Host is Vulnerable to Extended Master Secret TLS Extension (TLS triple handshake)

Doran_Lum
Nimbostratus
Nimbostratus

We have a few F5 VIPs on our LTM that have the TLS triple handshake vulnerability as detected by the scan.

I was reading the article below and it seems it's enabled by default. Why only some VIPs are detected and the other F5 VIP doesn't seem to be affected ?

 

And the option to disabled it is only through putty ?

 

https://support.f5.com/csp/article/K66202244

1 REPLY 1

boneyard
MVP
MVP

which tmos version are you using?

 

just to make sure, you seeing a difference between SSL enabled VIPs? not between a non SSL and a SSL enabled VIP?

 

as for you last question, yes the setting can only be changed from the CLI, but in general you dont want to change the setting, as it is a way to prevent to tls triple handshake.

 

assuming this comes from qualys this thread is interesting to read:

https://qualys-secure.force.com/discussions/s/question/0D52L00004TnvDPSAZ/regarding-rfc-7627-on-transport-layer-security-tls-session-hash-and-extended-master-secret-extension-will-become-a-mandatory-tls-extension