For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

henry_kay_36032's avatar
henry_kay_36032
Icon for Nimbostratus rankNimbostratus
Oct 23, 2015

disable cipher tls_rsa_with_3des_ede_cbc_sha

hi all,

 

one of my customer was doing a vulnerability scan and prompt with a message

 

"Negociated with the following insecure cipher suites: TLS 1.2 ciphers tls_rsa_with_3des_ede_cbc_sha"

 

i have search through google, devcentral and askf5. however, even tho there are alot of discussion going on, there is no indication how to block or disable the cipher.

 

it will be good if someone can point me the right direction or material that can help me with the above mentioned,

 

thank you.

 

application delivery
LTM
security

6 Replies

  • henry_kay_36032's avatar
    henry_kay_36032
    Icon for Nimbostratus rankNimbostratus
    Oct 23, 2015

    hi vitaliy,

     

    thanks for the link that you have attached. i have gone through the items but it seems that i couldnt disable the cipher suite.

     

    but i have opened a support case with support. will feedback here once i got a reply from support.

     

  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Oct 23, 2015

    This cipher string will disable 3DES as well as prioritize PFS and GCM.

    !EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES

    tmm --clientciphers '!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 1: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
 3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
 5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
 6: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
 7: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA
 8: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA
 9: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
10:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
11:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
12:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
13:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA
14:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA
15:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
16:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
17:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA
18:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA
19:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Oct 23, 2015
      you can also just add "!3DES" to whatever cipher string currently in use.
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Oct 23, 2015

    This cipher string will disable 3DES as well as prioritize PFS and GCM.

    !EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES

    tmm --clientciphers '!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 1: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
 3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
 5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
 6: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
 7: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA
 8: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA
 9: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
10:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
11:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
12:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
13:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA
14:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA
15:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
16:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
17:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA
18:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA
19:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Oct 23, 2015
      you can also just add "!3DES" to whatever cipher string currently in use.