Disable DES Ciphers

Question

Does anyone know why when I disable the DES cipher, it still shows up?  Is there a different way to explicitly disable the DES cipher? 
These 6 DES at the bottom are still listed:
 tmm --clientciphers 'HIGH:!EXPORT:!TLSv1:!TLSv1_1:!DTLSv1:!SSLv3:!DES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_ECDSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
 3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES     SHA384  ECDHE_ECDSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
 5: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
 6:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  DHE/DSS
 7:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  EDH/RSA
 8:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  EDH/RSA
 9:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  DHE/DSS
10:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES     SHA     EDH/RSA
11:    56  DHE-DSS-AES256-SHA               256  TLS1.2  Native  AES     SHA     DHE/DSS
12:   167  ADH-AES256-GCM-SHA384            256  TLS1.2  Native  AES-GCM  SHA384  ADH
13: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM  SHA384  ECDH_RSA
14: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM  SHA384  ECDH_ECDSA
15: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES     SHA384  ECDH_RSA
16: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES     SHA384  ECDH_ECDSA
17: 49167  ECDH-RSA-AES256-SHA              256  TLS1.2  Native  AES     SHA     ECDH_RSA
18: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.2  Native  AES     SHA     ECDH_ECDSA
19:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM  SHA384  RSA
20:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
21:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
22: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
23: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.2  Native  DES     SHA     ECDHE_ECDSA
24:    22  DHE-RSA-DES-CBC3-SHA             192  TLS1.2  Native  DES     SHA     EDH/RSA
25: 49165  ECDH-RSA-DES-CBC3-SHA            192  TLS1.2  Native  DES     SHA     ECDH_RSA
26: 49155  ECDH-ECDSA-DES-CBC3-SHA          192  TLS1.2  Native  DES     SHA     ECDH_ECDSA
27:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA

kevin_stewart · Answer

It's because DES-CBC3 is 3DES.
tmm --clientciphers 'HIGH:!EXPORT:!TLSv1:!TLSv1_1:!DTLSv1:!SSLv3:!DES:!3DES'

nathe · Answer

TNY, you are disabling DES ciphers. The ones listed are 3DES ciphers (note BITS column).
Note my test with the insecure client cipher profile cipher string setup, the first test shows all DES ciphers and the second (using !DES) disables DES ciphers. Note 3DES ciphers still there.
Hope this helps,
N
[root@bigip2:Active:Standalone] config  tmm --clientciphers '!SSLv2:ALL:!DH:!ADH:!EDH:@SPEED' | grep DES
34: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
35: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
36: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
37: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1    Native  DES     SHA     ECDHE_ECDSA
38: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.1  Native  DES     SHA     ECDHE_ECDSA
39: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.2  Native  DES     SHA     ECDHE_ECDSA
40: 49165  ECDH-RSA-DES-CBC3-SHA            192  TLS1    Native  DES     SHA     ECDH_RSA
41: 49165  ECDH-RSA-DES-CBC3-SHA            192  TLS1.1  Native  DES     SHA     ECDH_RSA
42: 49165  ECDH-RSA-DES-CBC3-SHA            192  TLS1.2  Native  DES     SHA     ECDH_RSA
43: 49155  ECDH-ECDSA-DES-CBC3-SHA          192  TLS1    Native  DES     SHA     ECDH_ECDSA
44: 49155  ECDH-ECDSA-DES-CBC3-SHA          192  TLS1.1  Native  DES     SHA     ECDH_ECDSA
45: 49155  ECDH-ECDSA-DES-CBC3-SHA          192  TLS1.2  Native  DES     SHA     ECDH_ECDSA
46:    10  DES-CBC3-SHA                     192  SSL3    Native  DES     SHA     RSA
47:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
48:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
49:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
50:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
93:     9  DES-CBC-SHA                       64  SSL3    Native  DES     SHA     RSA
94:     9  DES-CBC-SHA                       64  TLS1    Native  DES     SHA     RSA
95:     9  DES-CBC-SHA                       64  TLS1.1  Native  DES     SHA     RSA
96:     9  DES-CBC-SHA                       64  DTLS1   Native  DES     SHA     RSA
97:    98  EXP1024-DES-CBC-SHA               56  SSL3    Native  DES     SHA     RSA
98:    98  EXP1024-DES-CBC-SHA               56  TLS1    Native  DES     SHA     RSA
99:    98  EXP1024-DES-CBC-SHA               56  DTLS1   Native  DES     SHA     RSA
102:     8  EXP-DES-CBC-SHA                   40  SSL3    Native  DES     SHA     RSA
103:     8  EXP-DES-CBC-SHA                   40  TLS1    Native  DES     SHA     RSA
104:     8  EXP-DES-CBC-SHA                   40  DTLS1   Native  DES     SHA     RSA
[root@bigip2:Active:Standalone] config  tmm --clientciphers '!SSLv2:ALL:!DH:!ADH:!EDH:!DES:@SPEED' | grep DES
34: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
35: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
36: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
37: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1    Native  DES     SHA     ECDHE_ECDSA
38: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.1  Native  DES     SHA     ECDHE_ECDSA
39: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.2  Native  DES     SHA     ECDHE_ECDSA
40: 49165  ECDH-RSA-DES-CBC3-SHA            192  TLS1    Native  DES     SHA     ECDH_RSA
41: 49165  ECDH-RSA-DES-CBC3-SHA            192  TLS1.1  Native  DES     SHA     ECDH_RSA
42: 49165  ECDH-RSA-DES-CBC3-SHA            192  TLS1.2  Native  DES     SHA     ECDH_RSA
43: 49155  ECDH-ECDSA-DES-CBC3-SHA          192  TLS1    Native  DES     SHA     ECDH_ECDSA
44: 49155  ECDH-ECDSA-DES-CBC3-SHA          192  TLS1.1  Native  DES     SHA     ECDH_ECDSA
45: 49155  ECDH-ECDSA-DES-CBC3-SHA          192  TLS1.2  Native  DES     SHA     ECDH_ECDSA
46:    10  DES-CBC3-SHA                     192  SSL3    Native  DES     SHA     RSA
47:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
48:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
49:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
50:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA

yann_desmarest · Answer

Hi,
I think this is because it's not DES ciphers but 3DES. Try using the following command : 
tmm --clientciphers 'HIGH:!EXPORT:!TLSv1:!TLSv1_1:!DTLSv1:!SSLv3:!3DES'

yann_desmarest_ · Answer

Hi,
I think this is because it's not DES ciphers but 3DES. Try using the following command : 
tmm --clientciphers 'HIGH:!EXPORT:!TLSv1:!TLSv1_1:!DTLSv1:!SSLv3:!3DES'

tny_122436 · Answer

Thanks.  Not being a cipher expert, by just looking at the cipher column, I'd assume whatever is listed would be the correct syntax but I guess there are more specifics.

Forum Discussion

Disable DES Ciphers

6 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Illegal Metacharacter in Parameter Name in Json Data

Cisco TACACS+ Config on ISE LTM Pair

AS3 declaration to set cookie to preferred

SSL Bridging and FQDN rewrite Policy

Checking for X-Forwarded-For against an Address Data-Group

Related Content

Disable below cipher

Disabling Weak Ciphers

Disabling Specific Weak Cipher Suites

Welcome! a la Communidad DevCentral LATAM de F5!

Disabling Ciphers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS