It's a little bit late but I wanted to write a short entry about how to deal with the Sweet32 vulnerability which was announced towards the end of last year. I'm going to avoid regurgitating all the various details and aspects relating to this vulnerability but more focus on how simple it is to mitigate it when using the SSL Termination/Offloading options available on a Loadbalancer.org appliance. I am including a couple reference page links which delve into the nitty-gritty in significant detail if you wish/need/choose to further educate yourself on the subject.
When configuring SSL Termination/Offloading and using the default cipher list, a scan using SSL Labs will produce an A which is great. One thing with our default list is that it could result in a scan indicating that there may be a vulnerability to Sweet32. Sweet32 has several potential methods to be exploited but the one which potentially affects a Loadbalancer.org appliance is the use of the Triple-DES legacy cipher when performing SSL Termination/Offloading.
To mitigate this, it is a simple case of altering the cipher list slightly, adding a !3DES, to prevent the use of the Triple-DES cipher.
ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:HIGH:!RC4:!MD5:!aNULL:!EDH
Should become:
ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA:HIGH:!3DES:!RC4:!MD5:!aNULL:!EDH
Having rescanned the SSL Labs tooling with the updated cipher list, we still get an A but now the Sweet32 vulnerability is also being prevented.
