Block Ciphers F5 LTM

Question

Hello, I want to block specific ciphers on my LTM. We use a common SSL client profile for a good chunk of our sites/subdomains. Below are the two ciphers I want to block (SSL Labs reports them as weak). Below that is what we currently have on our SSL client profile.
We're running LTM 11.5.1 build 6.0 hotfix FH6
Ciphers need to block:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)

Currently configured on LB:
DEFAULT:!SSLv3:!RC4
Should SLL profile be updated as below?
DEFAULT:!SSLv3:!RC4:!3DES
I don't want to guess so appreciate any assistance provided.
Thanks in advance.
Diane

leonardo_souza · Answer

The first thing you need to understand is the fact that the "DEFAULT" changes between versions.
If you update the F5 to 12.1.2, it will probably have a default that has removed the ciphers that are considered weak today.
Secondly, no need to guess, as you can test the behaviour without applying the change.
If you do this commands:
tmm --clientciphers "DEFAULT:!SSLv3:!RC4"
tmm --clientciphers "DEFAULT:!SSLv3:!RC4:!3DES"

And compare the output, you know which ciphers were removed.
Lastly, some solutions to explain you a little bit more:
https://support.f5.com/csp/article/K13156
https://support.f5.com/csp/article/K13163
Or the main solution for SSL profiles:
https://support.f5.com/csp/article/K8802

Forum Discussion

Block Ciphers F5 LTM

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

LTM Cipher rule

Cipher Suite Practices and Pitfalls

Cipher Suites Supported (12.1.5.3)

Disabling Specific Weak Cipher Suites

Using F5 BIG-IP LTM/AFM and AWAF to block (OFAC) Sanctioned Countries

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS