Forum Discussion

Thiyagu's avatar
Thiyagu
Icon for Cirrus rankCirrus
Jun 10, 2019

Need help in disabling the weak ciphers in Client SSL profile

Hello All, I'm working to disable exporting of weak cipher suties from LTM using Client SSL profile. For example I want to disable the below cipher sutite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) th...
application delivery
BIG-IP
LTM
Dario_Garrido's avatar
Dario_Garrido
Icon for MVP rankMVP

​Hello

Configure cipher strength in your profile

https://support.f5.com/csp/article/K13171

Cipher List base on your release

https://support.f5.com/csp/article/K13156

Recopilation of KB about ciphers

https://support.f5.com/csp/article/K8802

KR,

Dario.

Dario_Garrido's avatar
Dario_Garrido
Icon for MVP rankMVP
Jun 10, 2019

BTW, "TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)" is weak because of the key exchange (it's not ephemeral).

You can configure your ciphersuite as "DEFAULT:!RSA" to avoid using not ephemeral key exchanges.

# tmm --clientciphers DEFAULT:\!RSA
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA   
 1:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  EDH/RSA   
 2:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  EDH/RSA   
 3:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES       SHA     EDH/RSA   
 4:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES       SHA     EDH/RSA   
 5:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA   
 6:    57  DHE-RSA-AES256-SHA               256  DTLS1   Native  AES       SHA     EDH/RSA   
 7:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  EDH/RSA   
 8:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES       SHA     EDH/RSA   
 9:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES       SHA     EDH/RSA   
10:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES       SHA     EDH/RSA   
11:    51  DHE-RSA-AES128-SHA               128  DTLS1   Native  AES       SHA     EDH/RSA   
12:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1    Native  DES       SHA     EDH/RSA   
13:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1.1  Native  DES       SHA     EDH/RSA   
14:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1.2  Native  DES       SHA     EDH/RSA   
15:    22  DHE-RSA-DES-CBC3-SHA             168  DTLS1   Native  DES       SHA     EDH/RSA   
16: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
17: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA 
18: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA 
19: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA 
20: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA 
21: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA 
22: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA 
23: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA 
24: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA 
25: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA 
26: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1    Native  DES       SHA     ECDHE_RSA 
27: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.1  Native  DES       SHA     ECDHE_RSA 
28: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.2  Native  DES       SHA     ECDHE_RSA

KR,

Dario.