F5ROCK
Feb 23, 2022Nimbostratus
Disable below cipher
I tried to disable below cipher (customer requirement):
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
This is the cipher string i am using and still we see above weak cipher
ECDHE:RSA:!TLSv1:!TLSv1_1:!3DES:!DTLSv1:!DHE:!RC4:!EXPORT:!DES:!SSLv3:!SHA1:!AES
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128So the hex cipher values are 0xc028 and 0xc027 - in decimal these are 49192 and 49191.
On the BigIP bash command line prompt, we can display all the client cipher names:# tmm --clientciphers 'ALL'
We can then filter using grep
# tmm --clientcipher 'ALL' | grep -e "49192" -e "49191"
2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
63: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSAThis identifies the relevant ciphers and can be used to remove these ciphers using the cipher-string:
e.g.# tmm --clientcipher 'ECDHE:-3DES:-SHA'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA <=== TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA <=== TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256With those ciphers removed:
# tmm --clientcipher 'ECDHE:-3DES:-SHA:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-AES256-SHA384'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSAK53432077: How to test a cipher string
I hope this helps.