Forum Discussion

Rob_Higginbotha's avatar
Rob_Higginbotha
Icon for Nimbostratus rankNimbostratus
May 17, 2018

Disabling Ciphers

Guys,

 

We are deploying Skype at work. The Skype team would like me to disable the "Weak" Ciphers and only enable the others. I know you can disable / enable them in the clientssl profile under Advanced. But, what is the correct context to do this?

 

Thank You

 

Here is the list

 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS128

 

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK256

 

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK128

 

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK256

 

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128

 

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK112

 

TLS 1.1 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS128

 

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK256

 

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128

 

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK112

 

TLS 1.0 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS128

 

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK256

 

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128

 

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK112

 

  • @Rob, Do you want to disable only Weak cipher, which you have pasted in Question section. Let us know.

     

7 Replies

  • Yes, you need to set this in the clientSSL profile applied to the virtual.

     

    You can also create a clientssl profile that specifies your selected ciphers, and use that profile as the parent profile for the Virtual server specific clientssl profiles. Then if you need to change the ciphers set for all your virtuals, you can update the parent and change all the child profiles at once.

     

    Do NOT modify the default clientSSL profile

     

  • @Rob, Do you want to disable only Weak cipher, which you have pasted in Question section. Let us know.

     

    • Samir_Jha_52506's avatar
      Samir_Jha_52506
      Icon for Noctilucent rankNoctilucent

      Disable below cipher in-order to eliminate weak cipher list. I have tested in v12 and all weak cipher gone. Suggest you to test in LAB environment and share feedback. Most important thing, don't play with default

      client-ssl
      profile which has pointed by @SBlakely

      Find the weak cipher list as per above question .

          AES256-SHA256
          AES128-SHA256
          AES256-SHA
          AES128-SHA
          DES-CBC3-SHA
      

      TLS 1.1 (Weak suites in server-preferred order)

          AES256-SHA
          AES128-SHA
          DES-CBC3-SHA
      

      TLS 1.0 (Weak suites in server-preferred order)

          AES256-SHA
          AES128-SHA
          DES-CBC3-SHA
      
    • Rob_Higginbotha's avatar
      Rob_Higginbotha
      Icon for Nimbostratus rankNimbostratus

      My Apologies for being dumb - So, I copy the above list in the "Ciphers" section in the clientssl profile that I created? Anything else? What am I missing?

       

      Thank you for your help

       

      When I try this I'm getting an error

       

      01070312:3: Invalid keyword ' aes256-sha256' in ciphers list for profile /Common/clientssl-test-cyphers

       

      Cipher List to insert.

       

      AES256-SHA256: AES128-SHA256: AES256-SHA: AES128-SHA: DES-CBC3-SHA: AES256-SHA: AES128-SHA: DES-CBC3-SHA: AES256-SHA: AES128-SHA: DES-CBC3-SHA: