Weak Ciphers Supported

Question

Hello, BIG IP F5 LTM 12.1.2, Hotfix-BIGIP-12.1.2.2.0.276-HF2&nbsp;
I have one ssl client profile with the following cipher:DEFAULT:!3DES:!DHE!TLSv1:!TLSv1_1&nbsp;
When I perform an SSL scan of the associated domain, it shows as vulnerable: &nbsp;
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (DH 1024 bit, WEAK DH Group Size)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (DH 1024 bit, WEAK DH Group Size)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (DH 1024 bit, WEAK DH Group Size)&nbsp;
On the same SSL profile, I also configure this chain:
!EXPORT:!3DES:!DHE:!DH:!MD5:!SSLV3:!DTLv1:!ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:!TLSv1_1:tlsV1_2&nbsp;
I have the same problem
¿Could you help me to fix it?&nbsp;
TLS_DHE_RSA_WITH_AES_128_CBC_SHA&nbsp;

surgeon · Answer

This is because you DH 1024 bit. big-ip does not support dhe 2048 due to some technical aspects of such type of ciphers. You can disable DHE and use ECDHE instead.

Are you sure you are connecting to big-ip directly? There is not RSA-DHE cipher listed on version 12.1.2 with cipher string you used.
tmm --clientciphers 'DEFAULT:!DHE:!TLSv1:!TLSv1_1:!3DES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
 1:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
 2:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
 3:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
 4:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
 5:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
 6:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
 7:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
 8: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 9: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
10: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
11: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
12: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
13: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA

Forum Discussion

Weak Ciphers Supported

1 Reply

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Disabling Weak Ciphers

Disabling Specific Weak Cipher Suites

Cipher Suites Supported (12.1.5.3)

How to disable weak cipher from Client SSL Profile

Lightboard Lessons: Choosing Strong vs Weak Ciphers