Forum Discussion

Tokyo_Alex_3213's avatar
Tokyo_Alex_3213
Icon for Nimbostratus rankNimbostratus
Jul 12, 2017

About OpenSSL use

It just came to my understanding that when applying SSL profile on a virtual server, openSSL would not really be used. Well it would be used at a base level but at an upper level it's controlled by TMOS. Am I right ? (sorry if it's not well explained...)

 

So i was wondering if the traffic coming from internet and passing through the virtual server would be subject to openSSL's known vulnerabilities? (knowing that it is not really used)

 

Thanks

 

2 Replies

  • Hi

     

    F5's security-vulnerabilities within the documentation show OpenSSL vulnerabilities (CVE's) affecting some of their BIG-IP products. Example below:

     

    https://support.f5.com/csp/article/K13167034

     

    Sorry, I cannot anwser in depth on the SSL processing performed by the BIG-IP.

     

    However, it looks like they are affected by certain OpenSSL vulnerabilites.

     

    Hope this helps.

     

  • Hi,

     

    DEFAULT cipher does not use OpenSSL library and is not affected by OpenSSL vulnerabilities!

     

    If you change profile cipher to include COMPAT keyword, BIGIP will use OpenSSL library!