Forum Discussion

Doran_Lum's avatar
Doran_Lum
Icon for Nimbostratus rankNimbostratus
Jun 11, 2020

Host is Vulnerable to Extended Master Secret TLS Extension (TLS triple handshake)

We have a few F5 VIPs on our LTM that have the TLS triple handshake vulnerability as detected by the scan.

I was reading the article below and it seems it's enabled by default. Why only some VIPs are detected and the other F5 VIP doesn't seem to be affected ?

 

And the option to disabled it is only through putty ?

 

https://support.f5.com/csp/article/K66202244

1 Reply

  • which tmos version are you using?

     

    just to make sure, you seeing a difference between SSL enabled VIPs? not between a non SSL and a SSL enabled VIP?

     

    as for you last question, yes the setting can only be changed from the CLI, but in general you dont want to change the setting, as it is a way to prevent to tls triple handshake.

     

    assuming this comes from qualys this thread is interesting to read:

    https://qualys-secure.force.com/discussions/s/question/0D52L00004TnvDPSAZ/regarding-rfc-7627-on-transport-layer-security-tls-session-hash-and-extended-master-secret-extension-will-become-a-mandatory-tls-extension