Forum Discussion

dpacewam_309700's avatar
dpacewam_309700
Icon for Nimbostratus rankNimbostratus
Feb 09, 2017

Disable ECDHE Cipher Suite for Server Side SSL Profile

Hi,

 

We have deployed Imperva WAF in transparent bridge mode between our F5 load balancers and Web Servers. In order to perform SSL Decryption, we need to disable certain Cipher Suites including ECHDE and EDH. I have configured the following below but am still getting warnings on the WAF that cipher ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA** cannot be decrypted.

 

Current SSL Server Profile: ** DEFAULT:!SSLv3:!ECDHE:!EDH **

 

What else is missing in order to disable cipher ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ** ?

 

Thanks for your help!

 

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    You mis-typed "ECDHE" in your SSL Server Profile.

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    On v11.6.1, I get this:

     tmm --serverciphers 'DEFAULT:!SSLv3:!ECDHE:!EDH'
           ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
     0:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM  SHA384  RSA       
     1:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM  SHA256  RSA       
     2:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA       
     3:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA       
     4:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA       
     5:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA       
     6:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA       
     7:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA       
     8:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA       
     9:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA       
    10:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA       
    11:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA       
    12:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA       
    13:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA       
    14:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA       
    15:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA       
    

    which does not include ECDHE at all.

    For testing, you may specify just one "NONE:AES128-SHA256" and see if you still get the same message.