CVE-2014-3566: Removing SSLv3 from BIG-IP

The POODLE (CVE-214-03566) vulnerability can force a client to negotiate SSLv3 instead of TLSv1.x ciphers. Then a BEAST-like attack can be conducted against SSLv3 to obtain information from the encrypted stream. This isn't necessarily a new attack, and there has been some speculation about how feasible attacks like BEAST are in the real world, but POODLE makes BEAST much easier.

F5 has analyzed the situation and recommends customers disable SSLv3 when possible.
This article will give you the information you need to disable SSLv3. Please also consult the official F5 SOL 15702.

Background
SOL8802 provides a starting point for information about TLS on a BIG-IP. It has many links to help you change your cipher specifications for the different versions of BIG-IP. I’ll be making references to many of the linked SOLutions in this article.
Second, please read my article from last year about cipher selection.
If you disable SSLv3 ciphers, you may be locking out some legacy clients. Wikipedia has a great table for SSL/TLS browser support. Always test to make sure that you haven’t blocked legitimate clients. If you know of legacy SSLv3 clients, you may want to upgrade them as soon as possible.

On a BIG-IP, SSL/TLS is used in multiple ways, including for the data plane and to the management GUI This posting will cover both of these vectors. Finally, we’ll talk about outbound connections from a BIG-IP, including monitors.

Data plane
In 11.5.0, F5 made the decision to be secure by default and disable SSLv3 ciphers by default for the traffic path. This is documented in SOL15022.
If you are running 11.5.0 or later, your default clientssl and serverssl profiles do not contain SSLv3 ciphers and SSLv3 cannot be negotiated. If your SSL profile derives from these profiles, your application is not vulnerable.
On all versions, you can disable SSLv3 ciphers by adding the string “!SSLv3” to your clienssl or serverssl profile.
The procedure to change your ciphers is well described in SOL 13171.
Please note that by default all clientssl and serverssl profiles inherit from the base profiles. If you have changed your ciphers in any of your SSL profiles, you will have to add “!SSLv3” to those profiles' cipher lists also.

Management plane
BIG-IP has a management GUI that is contacted over SSL. By default, SSLv3 ciphers are enabled on all releases.
This is configurable and covered in SOL 13405. To remove SSLv3 from 11.5.x and 11.6.x, you can disable SSLv3 via the command console like this:

[root@bigip1:Active:Standalone] templates # tmsh list /sys httpd
sys httpd {
    ssl-protocol "all -SSLv2"
}
[root@bigip1:Active:Standalone] templates # tmsh modify /sys httpd ssl-protocol "all -SSLv2 -SSLv3"

We are still working on a comprehensive solution for versions prior to 11.5.x.

Outbound connections
Many outbound connections are made by BIG-IP, including monitors. These may use SSLv3, but are not full fledged browsers and make single connections rather than the multiple transactions required for the attack. We believe these connections are not vulnerable.

Testing for SSLv3 connections
You can test for SSLv3 is enabled with a simple command line from a machine with OpenSSL installed.

# openssl s_client -connect target:443 -ssl3

If the command makes you enter more information, then you just made an SSLv3 connection. If the command returns you to a prompt right away, then SSLv3 is disabled on that target host.

Conclusion
F5 has not seen this attack in the wild. The security community has known about BEAST and similar attacks for some time. F5 took the first step to removing SSLv3 in 11.5.0. We will continue to make “secure by default” choices for future versions.