SSL 3.0.7 - Unsafe legacy renegotiation disabled on client side
We have a client reporting a problem connection to one of our endpoints after they upgraded their appliance that uses SSL 3.0.7. I've read around a little and I believe this is in relation to the recent security issue announced by OpenSSL. Their device I believe uses an IBM APIConnect Gateway. The error they are getting with the connection since the upgrade happened is the following (IP and gtid obfuscated for security): May3014:08:08npe-dp-sac-node1[APIConnect_Gateway][0x8120002f][ssl][error]ssl-client(bsc_dev2_tlsp-tls-client-profile-defaultV1.0.0):trans(4705632)[10.10.10.10]gtid(#################):TLSlibraryerror:error:141E3152:SSLroutines:final_renegotiate:unsafelegacyrenegotiationdisabled I'm concerned after digging around, that our F5 might not be ready or setup to accept traffic from devices that have been updated with this new version of SSL 3.0.7. I am the SME for the F5 support at our company and I don't have a lot of experience on this end of the configuration. Is there something we need to do on the F5 to safely allow this traffic?Solved3.6KViews0likes3CommentsCipher Suite Ordering
I need to order my ciphers in a very specific way. Using this command 'tmm --clientciphers 'ECDHE+AES-GCM:ECDHE+AES:' I get; ID SUITE BITS PROT METHOD CIPHER MAC KEYX 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA What I need, however, is; ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-CBC-SHA ECDHE-RSA-AES128-CBC-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA Which means moving line 7 in the original to line 4. How can I specify the EXACT order I want them in? Thanks in advance376Views0likes3CommentsCipher Suite: Disable DHE / EDH?
Hi does somebody know how to disable DHE/DSS and EDH/RSA KeyX Algorithms? Thanks, Rolf [root@bigip1:Active:Standalone] config tmm --clientciphers 'ECDHE::AES:!ECDH_RSA:!ECDH_ECDSA:!DES:!SHA:!SSLv3:!SSLv2' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 4: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_ECDSA 5: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 Native AES SHA256 EDH/RSA 6: 106 DHE-DSS-AES256-SHA256 256 TLS1.2 Native AES SHA256 DHE/DSS 7: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 8: 49187 ECDHE-ECDSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_ECDSA 9: 103 DHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 EDH/RSA 10: 64 DHE-DSS-AES128-SHA256 128 TLS1.2 Native AES SHA256 DHE/DSS 11: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA653Views0likes3CommentsCA issued device SSL certificate assistance needed
BLUF - CA signed device certificate is required. The built in GUI generated certificate request (.req) is missing info required by the CA. The plain vanilla OpenSSL generated .req is missing info required by the CA. OpenSSL seems to be the way to go. How to add/specify the "Key Usage" and "Extended Key Usage" attributes/parameters to an openSSL generated certificate .req. It will look like: KeyUsage = <hex value> and EnhancedKeyUsageExtension OID=x.x.x.x.x.x.x.x.x Changing CA is not an option. Using a self-signed certificate is not an option. Thanks in advance430Views0likes0CommentsOpenSSL command line on F5 LTM CSR/key generation
Been searching for a way to insert data into a command line and I'm having some issues, not sure if anyone has had success with this. I'm ultimately looking to automate a bulk cert and key generation from a txt file inputting the CN's. I'm currently trying to isolate the command to add in the details in the -subj section. I'm not sure what I'm missing and been staring at it too long. My searches so far have not been fruitful on finding good examples of this. Any advise would be appreciated. Note I did enter it without the variables. Thanks everyone! openssl req -new -key ./bulk.key/$domain_rebrand.key -out ./bulk.csr/$domain_rebrand.csr -passin pass:$password \ -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email" Variables: country=United States state=xxxxxx locality=xxxxxxx organization=xxxxxxx organizationalunit=IT email=xxxxxxxxx@xxxx.com1KViews0likes6CommentsSSL handshake errors
Hi there, Recently put TMOS version 12 into production and see following SSL handshake errors, none of which existed in version 10.2.3: Nov 12 03:15:36 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP 72.238.29.206:60819 -> x.x.x.x:443 Nov 12 03:15:55 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP 96.241.137.52:50815 -> x.x.x.x:443 Nov 12 03:16:12 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP 166.172.187.30:38119 -> x.x.x.x:443 Nov 12 03:16:32 dc1lbc2p warning tmm[11446]: 01260009:4: Connection error: hud_ssl_handler:1135: codec alert (20) Nov 12 03:16:32 dc1lbc2p info tmm[11446]: 01260013:6: SSL Handshake failed for TCP y.y.y.y:63127 -> z.z.z.z:443 Nov 12 03:18:53 dc1lbc2p warning tmm[11446]: 01260009:4: Connection error: ssl_hs_rxhello:7103: unsupported version (40) Did ssldump and ssl debugs but can't figure it out. There are no low encryption ciphers being presented by clients. In fact I don't see any handshake errors in the packet captures. Its pretty baffling. Would be great if someone can throw some light. Techs at F5 haven't been able to figure it out either. Thanks Naresh2.2KViews0likes43Commentsssl certificate list location
Hey, I was wondering where the ssl certificate location would be on the f5 I did a find command but only lead me to the ssl.crt directories. I am looking to the similar location that would show me the same files as I would see when looking at System ›› File Management : SSL Certificate List on the F5 gui. Thanks234Views0likes1CommentNew OpenSSL vulnerability - CVE-2014-0224
Hey community, there's a new OpenSSL vulnerability out there in the wild. I say new, but...newly discovered. Turns out it's been there a while. Anyway, F5 solution 15325 for the details. A quick note: The vulnerability is with OpenSSL, not the F5 SSL Stack. So if you are offloading SSL with native ciphers on your BIG-IP, this is not a vulnerability for your traffic. The management interface uses OpenSSL, however, so it might be vulnerable based on your BIG-IP version, check the solution. David Holmes is correct yet again that SSL is "this close to being completely broken!"241Views0likes2Comments