Forum Discussion
Disable ECDHE Cipher Suite for Server Side SSL Profile
Hi,
We have deployed Imperva WAF in transparent bridge mode between our F5 load balancers and Web Servers. In order to perform SSL Decryption, we need to disable certain Cipher Suites including ECHDE and EDH. I have configured the following below but am still getting warnings on the WAF that cipher ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA** cannot be decrypted.
Current SSL Server Profile: ** DEFAULT:!SSLv3:!ECDHE:!EDH **
What else is missing in order to disable cipher ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ** ?
Thanks for your help!
- JGCumulonimbus
You mis-typed "ECDHE" in your SSL Server Profile.
- JGCumulonimbus
On v11.6.1, I get this:
tmm --serverciphers 'DEFAULT:!SSLv3:!ECDHE:!EDH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 1: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 2: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 3: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 4: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 6: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 7: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 8: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 9: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 10: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 11: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 12: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 13: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 14: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 15: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
which does not include ECDHE at all.
For testing, you may specify just one "NONE:AES128-SHA256" and see if you still get the same message.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com