Forum Discussion
NimbostratusCipher suit
Hi All,
Please let me know the strongest cipher suit that can be configured in the LTM to over come all the vulnerabilities.
Thanks in advance.
-Cyril
5 Replies
Hi Cyril, Hopefully these solutions can offer you some guidance:
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html
CyrilHi Kevin,
Thanks for the update.
I want to mitigate RC4 related attacks, BEAST attack, LUCKY 13 and Forward Secrecy issue. Is there any particular cipher suit recommended to fix these issues?
Thanks, -Cyril
- nitass
Employee
I want to mitigate RC4 related attacks, BEAST attack, LUCKY 13 and Forward Secrecy issue. Is there any particular cipher suit recommended to fix these issues?
sol13400: SSL 3.0/TLS 1.0 BEAST vulnerability CVE-2011-3389 and TLS protocol vulnerability CVE-2012-1870
http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13400.html - Cyril
How about using this cipher suit -
EDH+AESGCM:EDH+AES:AESGCM:AES:-SSLv3:EDH+AES:EDH+3DES:AES:RC4:3DES:!ADH:!ECDH:!DSS:!MD5:!PSK:!eNULL:!aNULL:!SRP:!EXP:!DES
Can I use this or not, please guide me.
- nitass
you can use tmm --clientciphers to check.
e.g.
[root@ve11a:Active:In Sync] config tmm --clientciphers 'EDH+AESGCM:EDH+AES:AESGCM:AES:-SSLv3:EDH+AES:EDH+3DES:AES:RC4:3DES:!ADH:!ECDH:!DSS:!MD5:!PSK:!eNULL:!aNULL:!SRP:!EXP:!DES' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 1: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 2: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 5: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 8: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 9: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 10: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 11: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 12: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 13: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 14: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 15: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 16: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 17: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 18: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 19: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 20: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 21: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 22: 51 DHE-RSA-AES128-SHA 128 SSL3 Native AES SHA EDH/RSA 23: 57 DHE-RSA-AES256-SHA 256 SSL3 Native AES SHA EDH/RSA 24: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA 25: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA 26: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA 27: 22 DHE-RSA-DES-CBC3-SHA 192 SSL3 Native DES SHA EDH/RSA 28: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 29: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 30: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 31: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA 32: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 33: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 34: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 35: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 36: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 37: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 38: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 39: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 40: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA 41: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA
