Forum Discussion
NimbostratusAdding Cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA"
Need one information regarding addition of cipher suite to the existing client ssl profile . Due to poodle vulnerability changed the cipher suite from default to RC4-SHA . Currently need to add one more cipher which is "TLS_RSA_WITH_AES_128_CBC_SHA". Is it possible to add one more cipher.
Below are some details :
LTM Version : BIG-IP 11.4.1 Build 637.0 Hotfix HF3 Current ciphers : RC4-SHA:!SSLv3:!SSLv2
thanks
4 Replies
Here is a solution which has a section for how to configure the ssl profile to include a specific SSL cipher: SLO13171
- MegaZone
SIRT
Note that if you add this cipher and you're still running 11.4.1 HF3 you will make yourself vulnerable to CVE-2014-8730 (TLS POODLE) - see SOL15882.
I'd recommend upgrading to a fixed version, such as 11.4.1 HF8, which has a code fix for this. Then you could go back to a string such as "DEFAULT:!SSLv3" (you still need to disable SSLv3 for POODLE). SSLv2 is disabled by default, so you don't need !SSLv2 - but using it doesn't hurt.
Kiran_145850Thanks all for the reply.
I am having list of cipher suites.Whether all the below ciphers are vulnerable .
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_DH_DSS_WITH_AES_128_CBC_SHA
thanks
- MegaZone
ALL ciphers except for RC4 are vulnerable to CVE-2014-8730. (AES-GCM is not, but BIG-IP doesn't support that until 11.5.0.) Unless you have a patched release (as per SOL15882) the ONLY non-vulnerable cipher is RC4. All other ciphers are CBC-mode, even if they don't have 'CBC' in the name, and all CBC ciphers are vulnerable.
