Forum Discussion

mc1903_137193

Nimbostratus

Sep 25, 2015

Client SSL Profile Cipher...Disable DES-CBC3-SHA.

One of my sites has just be penetration tested and a low risk was identified. The following weak ciphers were supported Testing SSL server mysite.fqdn on port 443 Supported Server Cipher(s): ...

Cirrus

This will disable 3DES and prioritize PFS and GCM.

'!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'

. Looks like you are wanting to also disable TLSv1? If that's the case add !TLSv1, i.e.

'!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'

Last thing, if you still want to support IE on XP 3DES is the only "secure" supported cipher left.

Brad_Parker

Cirrus

Sep 25, 2015

Also, if you really want to disable AES128-SHA like you mentioned above you can add a "!AES128-SHA" to the string.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Client SSL Profile Cipher...Disable DES-CBC3-SHA.

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Disabling Ciphers

Update your DevCentral user profile

DoS Profiles

Weak Cipher Disabling

Client SSL Profile

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS