For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Skuba_85554's avatar
Skuba_85554
Icon for Nimbostratus rankNimbostratus
Feb 12, 2010

best practice for ssl ciphers

hi everyone     we've recently had a security audit and the report has recommended that we disable the following ciphers:   EXP-DES-CBC-SHA   EXP-RC2-CBC-MD5   EXP-RC4-MD5 ...
config
design
Skuba_85554's avatar
Skuba_85554
Icon for Nimbostratus rankNimbostratus
Feb 16, 2010

The only problem arises if there isn't at least one cipher in the list of ciphers the client and LTM both support. In that case, the SSL handshake will fail.

 

 

So it's good to configure the limited ciphers on a test VIP and test with each OS/browser combination (or as many as you can) that your web app supports.

 

 

Aaron

 

 

 

Hi Aaron

 

 

Thanks again for your response. You've hit the nail on the head there - I've been asked to disable the ciphers mentioned previously ASAP, and I don't know what it will effect (i.e. what combinations of OS/browsers)

 

 

I know this sounds lazy, but I would have thought someone would have produced a list online (not on DevCentral, but I was hoping someone would have a link to a site that says "Cipher A works fine with Windows XP/IE6" etc)

 

 

But I guess not as someone would have posted the link. Looks like it's going to take a while to test this out fully

 

 

Thanks for your help