Forum Discussion

b_sean_377285's avatar
b_sean_377285
Icon for Nimbostratus rankNimbostratus
Apr 10, 2019

Disable 3DES for Admin HTTPS access

Hi,   I need to disable 3DES as a part of SWEET32 vulnerability. I have gone through few articles and they mention modifying the SSL client profile and commenting out 3DES. My question is -   ...
application delivery
BIG-IP
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Apr 10, 2019

Hi,

You don't use a client ssl for admin access. you have to use tmsh in order to disable ciphers on admin access.

First of if you want to check cipher used, enter this command:

list sys httpd ssl-ciphersuite

sys httpd {
    ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA
    }

So if you want to disable 3DES you can just add 

:!DES:!DES
at the end of the line.

So to modify SSL-Ciphersuite follow this procedure:

tmsh modify sys httpd ssl-ciphersuite 'ECDHE-RSA-AES128-GCM-SHA256:....:!DES:!DES'
tmsh save sys config
bigstart restart httpd

Keep me in touch.

regards