Forum Discussion

newf5learner_13's avatar
newf5learner_13
Icon for Nimbostratus rankNimbostratus
Dec 03, 2014

what are the ssl ciphers supported on F5 and how to block the request which are on old cipher versions.

what are the ssl ciphers supported on F5 and how to block the request which are on old cipher versions? We use various external facing applications and we need to make sure that older / weak ssl ciphers are not allowed on negotiations. How can we acheive this?

 

And if a client sessions uses a older / weak ssl cipher we need to pop-up with a message stating that 'please use a latest browser' Let me know if someone can help me to get this in place.

 

I know to block the unwanted ssl ciphers, but nothing on next level of my requirement. thanks

 

APM
application delivery
deployment
LTM
microsoft
security

5 Replies

Sort By
  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Dec 03, 2014

    Support ciphers are documented at https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html

    To give a message to a browser that uses weak encryption, you cannot block the weak encryption in the ssl profile. You must allow the weaker ssl to happen and then use some mechanism(such as an iRule) to send them the message. Because of this, other people I have talked to who want to do this stop because they do not want the weak ssl to complete as it impacts their security audits. It can become difficult to catch all of the possible weak encryptions methods properly. Here is an example that would catch SSLv3 and redirect them to another website with a message.

    when HTTP_REQUEST {
    if { [SSL::cipher version] eq "SSLv3" } {
    HTTP::respond 302 Location "http://weakencryption"
    }
}
  • newf5learner's avatar
    newf5learner
    Icon for Nimbostratus rankNimbostratus
    Dec 03, 2014

    basically I don't want to allwo any negotiations which are on weaker ciphers. can't I negating the ssl cipher type in the profiles? won't that work? In my profile configuration, I can change the cipher setting instead of using 'DEFAULT' i think I can negate unwanted / weaker ciphers using '!SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4' by the above I'm disabling the use of weak ssl cipher negitiations which are shown in that list. Won't this work ?

     

  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Dec 03, 2014

    If you want to give a friendly message to browsers using weak encryption, the above cipher list will not work. It will not allow SSL to negotiate with them, and without SSL completing, you will not be able to send an HTTP response.

     

    If you want to skip giving them a friendly message and only support the cipher list above, that will work fine.

     

  • newf5learner's avatar
    newf5learner
    Icon for Nimbostratus rankNimbostratus
    Dec 05, 2014

    thanks for your inputs. I want to block any cipher negotiation which has cipher algorithm with key length less than 256 bits. I think I can block them by using setting on my ssl cert,

     

    DEFAULT:!

     

    but I have to do it on each ssl cert, instead is there any other way where my Big_IP will not allow any weaker negotiations.

     

    thanks.

     

  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Dec 05, 2014

    I created an ssl profile called clientssl-strong and ONLY set the ciphers in it. Then I have all my other SSL profiles inherit it as their Parent Profile instead of the stock clientssl. I guess you could modify the clientssl profile directly, but I have to imagine it would get overwritten at some point in the future by an upgrade, so I don't recommend it.