Forum Discussion
CirrostratusCreate cipher group in f5
As far as I am aware you cannot disable just TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for exaple. oyu need to disable all ECDHE which probably do not want to.
for CHACHA20 use
DEFAULT:!sslv3:!rc4:!exp:!des:!3des:!RSA:!DHE:!TLSv1:CHACHA20-POLY1305
MVPYou can actually be very granular with that. Take a look here: K000137907: Commands to see Ciphers and Protocols used in a particular STRING
This is a very secure cipher string: 'TLSv1_3:ECDHE-ECDSA-AES256-GCM-SHA384:!DTLSv1_2'
This leaves only TLS 1.3 and only one TLS 1.2 ECDHE with AES256 and SHA384. All weaker TLS 1.2 are excluded.
[root@awaf:Active:Standalone] config # tmm --clientciphers 'TLSv1_3:ECDHE-ECDSA-AES256-GCM-SHA384:!DTLSv1_2'
ID SUITE BITS PROT CIPHER MAC KEYX
0: 4865 TLS13-AES128-GCM-SHA256 128 TLS1.3 AES-GCM NULL *
1: 4866 TLS13-AES256-GCM-SHA384 256 TLS1.3 AES-GCM NULL *
2: 4867 TLS13-CHACHA20-POLY1305-SHA256 256 TLS1.3 CHACHA20-POLY1305 NULL *
3: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_ECDSA
- Injeyan_Kostas
Nacreous
F5 shows ECDHE-RSA-AES256-SHA384/TLS1.2 as available but ssllabs test shows only TLS1_3
THE_BLUEyes exactly .. and when i apply that and test it with ssl lab in show that no cipher for tls1.2 and the score become lower
- Injeyan_Kostas
Actually I missed -GCM-
TLSv1_3:ECDHE-ECDSA-AES256-GCM-SHA384:!DTLSv1_2 works fine. Thanks Daniel_Wolf​
I would also use ECDHE-ECDSA-AES128-GCM-SHA256 to have some more backward compatibility for older clients.and maybe DTLS for VPN
- Daniel_Wolf
TLSv1_3:ECDHE-ECDSA-AES256-GCM-SHA384:!DTLSv1_2 - works with EC cert for TLS1_2
TLSv1_3:ECDHE-RSA-AES256-GCM-SHA384:!DTLSv1_2 - works with RSA cert for TLS1_2
for TLSv1.3 both will use TLS_AES_256_GCM_SHA384 if ordered by strength in the Cipher Group. No matter EC or RSA cert.
