Block Ciphers F5 LTM

Question

Hello, I want to block specific ciphers on my LTM. We use a common SSL client profile for a good chunk of our sites/subdomains. Below are the two ciphers I want to block (SSL Labs reports them as weak). Below that is what we currently have on our SSL client profile.
We're running LTM 11.5.1 build 6.0 hotfix FH6
Ciphers need to block:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)

Currently configured on LB:
DEFAULT:!SSLv3:!RC4
Should SLL profile be updated as below?
DEFAULT:!SSLv3:!RC4:!3DES
I don't want to guess so appreciate any assistance provided.
Thanks in advance.
Diane

leonardo_souza · Answer

The first thing you need to understand is the fact that the "DEFAULT" changes between versions.
If you update the F5 to 12.1.2, it will probably have a default that has removed the ciphers that are considered weak today.
Secondly, no need to guess, as you can test the behaviour without applying the change.
If you do this commands:
tmm --clientciphers "DEFAULT:!SSLv3:!RC4"
tmm --clientciphers "DEFAULT:!SSLv3:!RC4:!3DES"

And compare the output, you know which ciphers were removed.
Lastly, some solutions to explain you a little bit more:
https://support.f5.com/csp/article/K13156
https://support.f5.com/csp/article/K13163
Or the main solution for SSL profiles:
https://support.f5.com/csp/article/K8802

Forum Discussion

Block Ciphers F5 LTM

1 Reply

Recent Discussions

Telemetry streaming to Elasticsearch

Provisioning r2600 equipment

Block CBC

active/active Support Declarative Onboarding

Error while running ansible

Related Content

domain blocking

allow one url from blocks geolocation

Disabling Ciphers

Zero Trust building blocks - F5 BIG-IP Access Policy Manager (APM) and PingIdentity

SSL Ciphers (SSLLabs) Warning