Forum Discussion
mc1903_137193
Sep 25, 2015Nimbostratus
Client SSL Profile Cipher...Disable DES-CBC3-SHA.
One of my sites has just be penetration tested and a low risk was identified.
The following weak ciphers were supported
Testing SSL server mysite.fqdn on port 443
Supported Server Cipher(s):
...
Brad_Parker_139
Nacreous
This will disable 3DES and prioritize PFS and GCM.
'!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'
. Looks like you are wanting to also disable TLSv1? If that's the case add !TLSv1, i.e. '!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'
Last thing, if you still want to support IE on XP 3DES is the only "secure" supported cipher left.mc1903_137193
Sep 25, 2015Nimbostratus
Thankyou Brad. That did it as far as I can see with the test site I use (which is different to the penetration testing company). I need to get SSL Scan installed onto a Linux machine to do a representative test.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects