Forum Discussion

Sabir_Alvi's avatar
Sabir_Alvi
Icon for Altocumulus rankAltocumulus
Feb 16, 2018

Bigip 11.2.1 - weak ciphers

I have BiGIP 11.2.1 in my test lab and below Cipher suite for SSL profile:

 

TLSv1_2:!SSLv3:!RC4-SHA:!3DES:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@STRENGTH

 

However there are few open weak ciphers when I scan --

 

[TLS_RSA_WITH_AES_256_CBC_SHA (0x35) ]

 

[TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) ]

 

[TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) ]

 

[TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) ]

 

Can someone advise if these can be blocked at all in 11.2.1? If yes, please share the ciphers.

 

application delivery
BIG-IP
cipher
LTM
ssl
tls

3 Replies

  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Feb 16, 2018

    So the RSA cipher suite is being deprecated by testing tools like SSLLabs as they don't provide Forward Secrecy: SSL Labs Grading Update: Forward Secrecy, Authenticated Encryption and ROBOT

     

    Running a version such as 11.2.1 in a production scenario raises so many more questions other than "how do I block this cipher?". There are a significant amount of vulnerabilities that have been discovered since this version was released, that have been fixed in later versions.

     

    I would recommend patching to a later supported release at your earliest opportunity.

     

    To answer your question, you could probably disable them, but I don't think that would leave all that many options for usable ciphers. You should test this thoroughly.

     

  • Ilian_Ivanov's avatar
    Ilian_Ivanov
    Icon for Nimbostratus rankNimbostratus
    Feb 16, 2018

    Hello,

     

    Add !RSA to your ciphers, so it should looks like:

     

    TLSv1_2:!SSLv3:!RC4-SHA:!3DES:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:!RSA:@STRENGTH

     

    And us Josh said, you will need to patch your system to mitigate a lot of vulnerabilities on your current version.

     

    Regards