For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Skuba_85554's avatar
Skuba_85554
Icon for Nimbostratus rankNimbostratus
Feb 12, 2010

best practice for ssl ciphers

hi everyone     we've recently had a security audit and the report has recommended that we disable the following ciphers:   EXP-DES-CBC-SHA   EXP-RC2-CBC-MD5   EXP-RC4-MD5 ...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 12, 2010
Hi Skuba,

One of our banking customers decided on using the following based on penetration and browser testing: 

 
  tmm --clientciphers 'HIGH:!SSLv2:!ADH' 
      ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX 
  0:  53 AES256-SHA                      256  SSL3  Native AES    SHA    RSA 
  1:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA 
  2:  55 DH-RSA-AES256-SHA               256  SSL3  Compat AES    SHA    DH/RSA 
  3:  55 DH-RSA-AES256-SHA               256  TLS1  Compat AES    SHA    DH/RSA 
  4:  57 DHE-RSA-AES256-SHA              256  SSL3  Compat AES    SHA    EDH/RSA 
  5:  57 DHE-RSA-AES256-SHA              256  TLS1  Compat AES    SHA    EDH/RSA

Any client that doesn't support one of these ciphers would get a TCP reset. In practice, I don't think the customer has received any complaints from clients who are unable to access the VIPs.

Another option is to use an iRule to enforce high ciphers but give clients who don't support a high enough cipher an HTTP response indicating why they can't access the site. You can do this following a codeshare example:

http://devcentral.f5.com/wiki/default.aspx/iRules/RedirectOnWeakEncryption.html

Aaron