I have a question regarding the rating of the ROBOT vulnerability with the ssllabs scanning tool. Obviously the best options would be to apply the patch provided by F5 and/or remove RSA from the cipher suite profile.
However, I am curious if implementing the partially mitigating controls detailed here: (https://support.f5.com/csp/article/K21905460) would still get an F score come February?
- The partially mitigating controls are:
- Lowering the Client SSL Handshake Timeout
- Rate limiting iRule
We fully intend to completely mitigate this vulnerability, unfortunately this will take some time. I plan to implement the partially mitigating controls in the mean time until this is resolved and just want clarification if these partial mitigations would still get flagged as vulnerable to ROBOT (per ssllab's grading) in February?
Thank you so much