Forum Discussion
mc1903_137193
Nimbostratus
NimbostratusClient SSL Profile Cipher...Disable DES-CBC3-SHA.
One of my sites has just be penetration tested and a low risk was identified.
The following weak ciphers were supported
Testing SSL server mysite.fqdn on port 443
Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
**Accepted TLSv1 168 bits DES-CBC3-SHA**
Prefered Server Cipher(s): TLSv1 256 bits AES256-SHA
It is the TLSv1 168 bits DES-CBC3-SHA that they are not happy about, but I am not sure how to disable it in the SSL Client profile. They also suggest disabling any ciphers using 128 bit keys - so I guess TLSv1 128 bits AES128-SH needs to go as well.
The current setting is
TLSv1_1:TLSv1_2:ECDHE+AES-GCM:NATIVE:!ADH:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!SSLv3:!SSLv2:@STRENGTH
Is there a document that clearly shows how to achieve both - I struggle with these LTM's at the best of times. 😞
I am running BIG-IP v11.6.0 (Build 5.0.429) if that has a bearing.
Any help offered will be appreciated.
Thanks, Martin
MVA_60288Altocumulus
You can disable in the client-ssl profile specific to the VIP or at the parent client-ssl profile by adding "!DES-CBC3-SHA" at the Ciphers section. i.e., "DEFAULT;!DES-CBC3-SHA". Then re-scan to confirm it's disabled or via openssl "openssl s_client -cipher 'DES-CBC3-SHA' -connect %IP%:443"
Hope that helps.
mc1903_137193Thank you Mel. I have just tried your suggestion and I get the following error when I press update: 01070312:3: Invalid keyword 'des-cbc3-sha' in ciphers list for profile /Common/mysite-fqdn_client_ssl_profile Any thoughts what I have done wrong? Martin
MVAYou can disable in the client-ssl profile specific to the VIP or at the parent client-ssl profile by adding "!DES-CBC3-SHA" at the Ciphers section. i.e., "DEFAULT;!DES-CBC3-SHA". Then re-scan to confirm it's disabled or via openssl "openssl s_client -cipher 'DES-CBC3-SHA' -connect %IP%:443"
Hope that helps.
- mc1903_137193Thank you Mel. I have just tried your suggestion and I get the following error when I press update: 01070312:3: Invalid keyword 'des-cbc3-sha' in ciphers list for profile /Common/mysite-fqdn_client_ssl_profile Any thoughts what I have done wrong? Martin
Brad_Parker_139Nacreous
This will disable 3DES and prioritize PFS and GCM.
. Looks like you are wanting to also disable TLSv1? If that's the case add !TLSv1, i.e.'!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'
Last thing, if you still want to support IE on XP 3DES is the only "secure" supported cipher left.'!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'- Brad_Parker_139tmm --clientciphers '!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES' produces these ciphers and order. ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 6: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 8: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 9: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA 10: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 11: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 12: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 13: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 14: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 15: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 16: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 17: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
- Brad_Parker_139Also, if you really want to disable AES128-SHA like you mentioned above you can add a "!AES128-SHA" to the string.
- mc1903_137193Thankyou Brad. That did it as far as I can see with the test site I use (which is different to the penetration testing company). I need to get SSL Scan installed onto a Linux machine to do a representative test.
Brad_ParkerCirrus
This will disable 3DES and prioritize PFS and GCM.
. Looks like you are wanting to also disable TLSv1? If that's the case add !TLSv1, i.e.'!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'
Last thing, if you still want to support IE on XP 3DES is the only "secure" supported cipher left.'!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'- Brad_Parkertmm --clientciphers '!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES' produces these ciphers and order. ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 6: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 8: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 9: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA 10: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 11: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 12: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 13: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 14: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 15: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 16: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 17: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
- Brad_ParkerAlso, if you really want to disable AES128-SHA like you mentioned above you can add a "!AES128-SHA" to the string.
- mc1903_137193Thankyou Brad. That did it as far as I can see with the test site I use (which is different to the penetration testing company). I need to get SSL Scan installed onto a Linux machine to do a representative test.
- MVA_60288
Ensure the cipher section has "DEFAULT:!DES-CBC3-SHA", no quotes. Note, my original comment has semi-colon and it should be colon. Try that.
- mc1903_137193Thanks again Mel. That was accepted this time, but when I retested my site the SSL Labs test rating dropped from an A+ (100/97/100/90) to a B (100/70/80/90).
- MVA
Ensure the cipher section has "DEFAULT:!DES-CBC3-SHA", no quotes. Note, my original comment has semi-colon and it should be colon. Try that.
- mc1903_137193Thanks again Mel. That was accepted this time, but when I retested my site the SSL Labs test rating dropped from an A+ (100/97/100/90) to a B (100/70/80/90).