Forum Discussion

mc1903_137193

Nimbostratus

Sep 25, 2015

Client SSL Profile Cipher...Disable DES-CBC3-SHA.

One of my sites has just be penetration tested and a low risk was identified. The following weak ciphers were supported Testing SSL server mysite.fqdn on port 443 Supported Server Cipher(s): ...

Cirrus

This will disable 3DES and prioritize PFS and GCM.

'!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'

. Looks like you are wanting to also disable TLSv1? If that's the case add !TLSv1, i.e.

'!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'

Last thing, if you still want to support IE on XP 3DES is the only "secure" supported cipher left.

mc1903_137193

Nimbostratus

Sep 25, 2015

Thankyou Brad. That did it as far as I can see with the test site I use (which is different to the penetration testing company). I need to get SSL Scan installed onto a Linux machine to do a representative test.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Client SSL Profile Cipher...Disable DES-CBC3-SHA.

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Disabling Ciphers

Update your DevCentral user profile

SSL Profiles

DoS Profiles

disable ciphers 1.0 and 1.1 on ssl client profile

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS