Forum Discussion
NimbostratusClarification of Cipher settings
I have been tasked with ensuring that our ciphers are set correctly for PCI compliance. Now our LTM devices have been up and running for a while and were setup by a previous admin.
We are currently on 11.4.1 and from all the documentation it appears that if we set the ssl profiles under the client profile to just DEFAULT we should be fine for having the required weak ciphers disabled. However currently what is set is the following: RC4:!EXP-RC4-MD5:!EXP1024-RC4-SHA
Does this mean that we are only accepting RC4 connections or are the default settings being used and the RC4 ciphers are not being used? On the back side of the client profile the server ssl profiles are set to use DEFAULT.
3 Replies
natheCirrocumulus
Yes, only rc4 ciphers but not rc4 with the following 2 cipher suites.
Default cipher does allow for rc4. There's a good article on DC re ciphers to block to mitigate prevalent SSL attacks.
N
- nathe
https://devcentral.f5.com/articles/which-tls-algorithm-should-i-use.U1A35HNwbqA
- nitass
Employee
you can display cipher suite list using tmm --clientciphers. the following is output from 11.5.1.
[root@ve11a:Active:In Sync] config tmm --clientciphers 'RC4:!EXP-RC4-MD5:!EXP1024-RC4-SHA' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 2: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA 3: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 4: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA 5: 4 RC4-MD5 128 TLS1 Native RC4 MD5 RSA 6: 4 RC4-MD5 128 TLS1.1 Native RC4 MD5 RSA 7: 4 RC4-MD5 128 TLS1.2 Native RC4 MD5 RSA
