Forum Discussion

Jawad_Mukhtar's avatar
Jawad_Mukhtar
Icon for Altostratus rankAltostratus
Feb 15, 2020

Weak Cipher Disabling

Hi Team,

 

I am trying to Disable Weak Cipher still getting following result.

 

NULL ciphers (no encryption)                  not offered (OK)

Anonymous NULL Ciphers (no authentication)   not offered (OK)

Export ciphers (w/o ADH+NULL)                 not offered (OK)

LOW: 64 Bit + DES, RC[2,4] (w/o export)       offered (NOT ok)

Triple DES Ciphers / IDEA                     not offered (OK)

Average: SEED + 128+256 Bit CBC ciphers       offered

Strong encryption (AEAD ciphers)              offered (OK)

 

I have used following Ciphers list.

 

TLSV1_2:!DES:!3DES:!ADH:!EXPORT

 

What I need to add more to block LOW: 64 Bit + DES, RC[2,4] (w/o export)  

 

 

9 Replies

  • Hi,

     

    you can try the below

     

    DEFAULT:!TLSv1:!RSA:!TLSv1_1:!3DES:!AES:!CAMELLIA:!DHE:@STRENGTH

  • F5 is already disabled all ssl n tls1.0 n tls1.1 ciphers in v14.x.

    ​​

    I don't thing any difference in keeping DEFAULT in begining.

    You can check in bash mode

    tmm --clientciphers 'DEFAULT:TLSV1_2:!DES:!3DES:!ADH:!EXPORT'

    ​vs

    tmm --clientciphers 'TLSV1_2:!DES:!3DES:!ADH:!EXPORT'

  • NULL ciphers (no encryption)                 not offered (OK)

    Anonymous NULL Ciphers (no authentication)   not offered (OK)

    Export ciphers (w/o ADH+NULL)                not offered (OK)

    LOW: 64 Bit + DES, RC[2,4] (w/o export)      offered (NOT ok)

    Triple DES Ciphers / IDEA                    not offered (OK)

    Average: SEED + 128+256 Bit CBC ciphers      offered

    Strong encryption (AEAD ciphers)             offered (O

     

     

    Earlier it was giving weak cipher for Anonmymous, low and Tipple DES.

     

    I entered below:

     

    TLSV1_2:!DES:!3DES:!ADH:!EXPORT

     

    After this they rechecked and they are just getting 1 again

     

    NULL ciphers (no encryption)                 not offered (OK)

    Anonymous NULL Ciphers (no authentication)   not offered (OK)

    Export ciphers (w/o ADH+NULL)                not offered (OK)

    LOW: 64 Bit + DES, RC[2,4] (w/o export)      offered (NOT ok)

    Triple DES Ciphers / IDEA                    not offered (OK)

    Average: SEED + 128+256 Bit CBC ciphers      offered

    Strong encryption (AEAD ciphers)             offered (OK)

     

     

    What value I need to Add more to above ciphers.

     

    Second what we just have only to enable TLSV1.2 only what I did in above ciphers.

     

     

     

     

  • You can try something like this.

    ​DEFAULT:ECDHE:!RSA:!DHE:!3DES

    LEt us know the results.

  • What is purpose of using DEFAULT in start is it must of use I have TLSv1.2 turned on that is required ​

  • What is purpose of using DEFAULT in start is it must of used as I have to enable TLSv1.2 turned on