mc1903_137193
Sep 25, 2015Nimbostratus
Client SSL Profile Cipher...Disable DES-CBC3-SHA.
One of my sites has just be penetration tested and a low risk was identified.
The following weak ciphers were supported
Testing SSL server mysite.fqdn on port 443
Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
**Accepted TLSv1 168 bits DES-CBC3-SHA**
Prefered Server Cipher(s): TLSv1 256 bits AES256-SHA
It is the TLSv1 168 bits DES-CBC3-SHA that they are not happy about, but I am not sure how to disable it in the SSL Client profile. They also suggest disabling any ciphers using 128 bit keys - so I guess TLSv1 128 bits AES128-SH needs to go as well.
The current setting is
TLSv1_1:TLSv1_2:ECDHE+AES-GCM:NATIVE:!ADH:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!SSLv3:!SSLv2:@STRENGTH
Is there a document that clearly shows how to achieve both - I struggle with these LTM's at the best of times. 😞
I am running BIG-IP v11.6.0 (Build 5.0.429) if that has a bearing.
Any help offered will be appreciated.
Thanks, Martin