CirrusHello All,
I'm working to disable exporting of weak cipher suties from LTM using Client SSL profile. For example I want to disable the below cipher sutite:
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) then what could be be the ciphers to use in client SSL profile to not export this sipher suites.
Could you also share any article which will help to learn on this?
Regards,
Thiyagu
Hello
Configure cipher strength in your profile
https://support.f5.com/csp/article/K13171
Cipher List base on your release
https://support.f5.com/csp/article/K13156
Recopilation of KB about ciphers
https://support.f5.com/csp/article/K8802
KR,
Dario.
BTW, "TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)" is weak because of the key exchange (it's not ephemeral).
You can configure your ciphersuite as "DEFAULT:!RSA" to avoid using not ephemeral key exchanges.
# tmm --clientciphers DEFAULT:\!RSA
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA
1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA
2: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 Native AES SHA256 EDH/RSA
3: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA
4: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA
5: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA
6: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA
7: 103 DHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 EDH/RSA
8: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA
9: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA
10: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA
11: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA
12: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA EDH/RSA
13: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA EDH/RSA
14: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA EDH/RSA
15: 22 DHE-RSA-DES-CBC3-SHA 168 DTLS1 Native DES SHA EDH/RSA
16: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
17: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
18: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
19: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
20: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
21: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
22: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
23: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
24: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
25: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
26: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA
27: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA
28: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA KR,
Dario.