Forum Discussion

veato's avatar
veato
Icon for Nimbostratus rankNimbostratus
May 24, 2017

Excluding Cipher Suites

I have been given a list of cipher suites which have been flagged as weak and crossed referenced this with the published list of ciphers for BIG-IP v12. I now need to exclude these ciphers from the default stack and whilst I am aware of the method e.g. DEFAULT:!TLSv1 I'm not sure of the string to exclude the following specifically:

 

TLS1.2

 

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

 

TLS1.1

 

TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

 

TLS1.0

 

TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

 

Can anyone advise?

 

2 Replies

  • Hi have similar problem with ciphers, after scanning with SSL labs getting some week ciphers errors, lets say for TLS1.1:

     

    LS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK

     

    LS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK112

     

    ciphers used in LTM are:

     

    tmm --clientciphers 'DEFAULT:!EXPORT40:!EXP:!LOW:!DH:!DHE:!SSLv3:!MD5:!RC4-SHA:!ADH' | grep TLS1.1

     

    4: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA

     

    9: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA

     

    13: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA

     

    20: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA

     

    24: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA

     

    27: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA

     

    can not see here any 3DES ciphers so not sure which ones should be disabled? Do i need disable DES adding !DES?

     

    thanks