NimbostratusSecurity scanning is stating the Bigip 3600 is supporting 3DES and SSLv3. I do not see this option in the cipher list. I see it defined when creating default https monitor; cipherlist DEFAULT:+SHA:+3DES:+kEDH Admitting am a bit confused. Any thoughts? Thanks. Dave
CirrostratusAre they saying a VIP on the device is configured for it, or the management GUI? Perhaps it's a generic message saying that the platform supports SSLv3 but not necessarily that you have it enabled?
Running tmm --clientciphers 'SSLv3' on a v13.1 VE shows that I could enable 20 different SSLv3 ciphers, but by default, the ssl cipher string doesn't have them listed.
If you have a non-custom cipher string in the ssl profiles in use, run that command with them in between the quotes to see what ciphers are configured.
NimbostratusHi Dave. Thanks for the reply.
Actually they are pointing to a vip ip. and also complaining about the physical ip of the bigip.
I ran the tmm --clientciphers 'SSLv3' and tmm --clientciphers '3DES' and it came back with a similar response.
All of the ssl profiles in use are defined to use default settings.
I am going to try to negate the weak ciphers in specific profiles.
EmployeeDave already answered this in part, but you can see all the supported ciphers here:
https://support.f5.com/csp/article/K13163
All default ciphers are listed here:
https://support.f5.com/csp/article/K13156
DES and SSLv3 are supported, but SSLv3 has been disabled by default for quite some time:
https://support.f5.com/csp/article/K15022