« Tomcat - Disable TRACE Method | Main | allsorts Browser Market Share »

08/30/2008

BigIP - Disabling SSLv2, Null and Weak Ciphers

If you are looking for a quick and easy iRule that will help with remediating your site's compliance issues around weak ssl ciphers, weak ssl protocol support, etc., don't bother. You don't need an iRule to do this. You can modify the protocols and ciphers that you will allow through to your site using the SSL Client profile that you have assigned to your VIP.

Any site on a BigIP LTM that terminates SSL at the BigIP will have an SSL Client profile attached to it. The base SSL Client profile defines the private key and certificate key pair that will be used by your Virtual Server when the ssl handshake between your site and the browser occurs.

Please note that this is not the officially supported mechanism for disabling SSLv2 or Null/Weak Ciphers on the BigIP but if you are in a similar bind as I, you only have a few weeks to remediate 100+ sites and don't want to make system level configuration changes to your LTM. This method will get you to hit your deadline while still remediating the vulnerabilities and wil give you time to plan the system-level change accordingly.

In a pinch, you can modify the SSL Client profile for each of your sites, select the Ciphers section and paste the following into it:

ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW


Save the profile and use one of the free tools like SSLDigger from Foundstone to verify that all your weak ciphers are gone.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01156fbc6fe6970c011572288191970b

Listed below are links to weblogs that reference BigIP - Disabling SSLv2, Null and Weak Ciphers:

Comments