For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

sslo

18 Topics

SSLO Security policies; do we still need the Pinners category?
Playing with SSLO again, and came across the Pinners category in the Security Policy (category of website that is immediately bypassing SSLO due to the use of Pinned certificates). (More detail on Certificate Pinning: https://community.f5.com/t5/technical-articles/implementing-ssl-orchestrator-guided-configuration/ta-p/285880 https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning It seems that HTTP pinning and Certificate pinning has now mostly been deprecated (https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning & https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning , but the Pinners category still exist. I've removed quite a few of the domains from the category, tested again with Forged certificates, and all sites still work! (which I believe they shouldn't if Pinning was still in place at those sites. And Google classically being one of the biggest users of Pinning initially isn't even in the Pinners category anymore. So, should SSLO still configure the Pinners category by default, or should it now be removed by default and Pinning only be kept in the back of our minds in the case we do come across a website that uses it? (Or 3rd and just as likely option - have I completely misunderstood something?
Solved
AlexBCT
Apr 12, 2023 Place Technical Forum
1.4KViews
1like
4Comments
Common Name for Public/Signed SSL Certificate
Hi Community, Just want to ask regarding purchasing a Signed Public SSL Certificate. Does common name should be a registered dns domain? Because what we are planning is to use a dns domain currently defined in their AD Server, but the dns domain is not a registered DNS domain in the Internet. Ex. proxy.internal-xyz.com intended only for internal use for clientssl profile using F5 SSLO Forward Proxy. Thanks.
pynot
Dec 19, 2019 Place Technical Forum
365Views
1like
1Comment