Forum Discussion
5 Replies
- mimlo_61970Cumulonimbus
Support ciphers are documented at https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html
To give a message to a browser that uses weak encryption, you cannot block the weak encryption in the ssl profile. You must allow the weaker ssl to happen and then use some mechanism(such as an iRule) to send them the message. Because of this, other people I have talked to who want to do this stop because they do not want the weak ssl to complete as it impacts their security audits. It can become difficult to catch all of the possible weak encryptions methods properly. Here is an example that would catch SSLv3 and redirect them to another website with a message.
when HTTP_REQUEST { if { [SSL::cipher version] eq "SSLv3" } { HTTP::respond 302 Location "http://weakencryption" } }
- newf5learnerNimbostratus
basically I don't want to allwo any negotiations which are on weaker ciphers. can't I negating the ssl cipher type in the profiles? won't that work? In my profile configuration, I can change the cipher setting instead of using 'DEFAULT' i think I can negate unwanted / weaker ciphers using '!SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4' by the above I'm disabling the use of weak ssl cipher negitiations which are shown in that list. Won't this work ?
- mimlo_61970Cumulonimbus
If you want to give a friendly message to browsers using weak encryption, the above cipher list will not work. It will not allow SSL to negotiate with them, and without SSL completing, you will not be able to send an HTTP response.
If you want to skip giving them a friendly message and only support the cipher list above, that will work fine.
- newf5learnerNimbostratus
thanks for your inputs. I want to block any cipher negotiation which has cipher algorithm with key length less than 256 bits. I think I can block them by using setting on my ssl cert,
DEFAULT:!
but I have to do it on each ssl cert, instead is there any other way where my Big_IP will not allow any weaker negotiations.
thanks.
- mimlo_61970Cumulonimbus
I created an ssl profile called clientssl-strong and ONLY set the ciphers in it. Then I have all my other SSL profiles inherit it as their Parent Profile instead of the stock clientssl. I guess you could modify the clientssl profile directly, but I have to imagine it would get overwritten at some point in the future by an upgrade, so I don't recommend it.