AnsweredAssumed Answered

TLS Poodle and F5 fix 10.2.4HF10

Question asked by John Doe on Dec 15, 2014
Latest reply on Dec 16, 2014 by Ivan Ristić

In light of the recent announcement about TLS POODLE vulnerabilities, F5 released HF10 for the 10.2.4 code base.  I have a ticket in F5 on this issue, but I am curious if anyone can expound upon how HF10 addresses the vulnerability. While running vulnerable code, the Qualys SSL scanner readily identifies the vulnerability on my virtual lab based F5 and seems valid. What is curious though is that after upgrading my device to 10.2.4HF10 and rerunning the scan, the SSL scanner indicates that the scan is inconclusive (Timeout). What I want to know is whether this is the behavior that should be exhibited by the F5 10.2.4HF10 code base? My initial exchange with F5 suggested that I should not be vulnerable and provided me a link to one of their sites running updated 11.x code where the Qualys scanner indicated that it was not vulnerable. It didn't have any vague message indicating that anything was out of line or inconclusive.


So, can anyone expound upon what the TLS Poodle scan is doing and what it means exactly by "Inconclusive (Timeout)"?  I mean, it is clear on the surface what it means, but I don't have an IPS or anything in front of the device, so there is nothing that should be causing a timeout. So it is either something with the behavior of the device post-update, how the scan is conducted, or something unbeknownst to me impacting the viability of the scan.


Any feedback from the community would be greatly appreciated.