AnsweredAssumed Answered

False detection of TLS Protocol Session Renegotiation Security Vulnerability (QID 38596)

Question asked by equalys user on Jun 24, 2015

We are currently seeing what we believe is a false detection of TLS Protocol Session Renegotiation Security Vulnerability (QID 38596).

 

We are currently running BIGIP-11.5, which according to this F5 support page, is not vulnerable to CVE-2009-3555: https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html

 

Although the message implies that the F5 product to which the browser is connecting is vulnerable to this attack, all vulnerable F5 Products have been patched to disable SSL/TLS renegotiation, and some have been further enhanced to allow explicit control over renegotiation, thus mitigating this attack. For more information regarding completed and planned updates related to this vulnerability, refer to the following table. Note that ID 223836 specifically addresses this error message.

 

To further confuse the issue, we have multiple VIPs using the same SSL configuration. However, only one VIP out of many is showing this behavior.

 

Is anyone else seeing this issue?

Outcomes