Forum Discussion

henry_kay_36032's avatar
henry_kay_36032
Icon for Nimbostratus rankNimbostratus
Oct 23, 2015

disable cipher tls_rsa_with_3des_ede_cbc_sha

hi all,

 

one of my customer was doing a vulnerability scan and prompt with a message

 

"Negociated with the following insecure cipher suites: TLS 1.2 ciphers tls_rsa_with_3des_ede_cbc_sha"

 

i have search through google, devcentral and askf5. however, even tho there are alot of discussion going on, there is no indication how to block or disable the cipher.

 

it will be good if someone can point me the right direction or material that can help me with the above mentioned,

 

thank you.

 

6 Replies

  • hi vitaliy,

     

    thanks for the link that you have attached. i have gone through the items but it seems that i couldnt disable the cipher suite.

     

    but i have opened a support case with support. will feedback here once i got a reply from support.

     

  • This cipher string will disable 3DES as well as prioritize PFS and GCM.

    !EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES

    tmm --clientciphers '!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES'
           ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
     0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
     1: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
     2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
     3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
     4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
     5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
     6: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
     7: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA
     8: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA
     9: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
    10:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
    11:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
    12:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
    13:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA
    14:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA
    15:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
    16:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
    17:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA
    18:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA
    19:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
    
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      you can also just add "!3DES" to whatever cipher string currently in use.
  • This cipher string will disable 3DES as well as prioritize PFS and GCM.

    !EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES

    tmm --clientciphers '!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES'
           ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
     0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
     1: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
     2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
     3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
     4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
     5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
     6: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
     7: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA
     8: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA
     9: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
    10:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
    11:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
    12:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
    13:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA
    14:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA
    15:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
    16:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
    17:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA
    18:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA
    19:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
    
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      you can also just add "!3DES" to whatever cipher string currently in use.