Forum Discussion

b_sean_377285's avatar
Icon for Nimbostratus rankNimbostratus
Apr 10, 2019

Disable 3DES for Admin HTTPS access



I need to disable 3DES as a part of SWEET32 vulnerability. I have gone through few articles and they mention modifying the SSL client profile and commenting out 3DES. My question is -


  1. What client profile is used for admin access?
  2. Or do I need to modify httpd ssl-ciphersuite to have this fixed.

Thanks, Sean


5 Replies

  • Hi,

    You don't use a client ssl for admin access. you have to use tmsh in order to disable ciphers on admin access.

    First of if you want to check cipher used, enter this command:

    list sys httpd ssl-ciphersuite

    sys httpd {

    So if you want to disable 3DES you can just add

    at the end of the line.

    So to modify SSL-Ciphersuite follow this procedure:

    tmsh modify sys httpd ssl-ciphersuite 'ECDHE-RSA-AES128-GCM-SHA256:....:!DES:!DES'
    tmsh save sys config
    bigstart restart httpd

    Keep me in touch.


  • I've just had a scan report for this on my F5's.

    So this will modify the cipher suite for admin only?

    For vServers i need to maintain the multi-suite available due to some application owners not updating their apps for years and actually can't upgrade some. We're proxying between suites for some services (false security imho but i do what i'm told)