Forum Discussion

Nimbostratus

Sep 07, 2017

Disable Specific SSL Ciphers on F5 Big IP

Hi, F5 novice here. Due to the results of a recent pentest I need to disable 3DES and RC4 ciphers on our F5 Big IP running 12.1. I have been able to edit the existing ciphers and successful...

BIG-IP

security

pponte

Altostratus

Sep 07, 2017

I think you could read these links.

link 1 link 2

You can order the list to make it as you like, e.g: ciphers DEFAULT:RSA+AES-GCM:RSA+AES:@STRENGTH

I hope it helps

stephen_piskor_
Nimbostratus
Sep 07, 2017
Thanks for the info, I have already read these links. The Ciphers I need to disable are listed below.

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK 112

Please bear in mind my F5 knowledge is limited.
stephen_piskor_
Nimbostratus
Sep 07, 2017
Ok I just added this..

This has helped a great deal.

DEFAULT:!DHE
stephen_piskor_
Nimbostratus
Sep 07, 2017
Even better..

DEFAULT:!DHE:!3DES

I now get an A- due to PFS being disabled.
pponte
Altostratus
Sep 07, 2017
Hello Stephen, How can I make a test to a web page? I think Qualys could be a very useful tool.