Forum Discussion

Nimbostratus

May 17, 2018

Disabling Ciphers

Guys,

We are deploying Skype at work. The Skype team would like me to disable the "Weak" Ciphers and only enable the others. I know you can disable / enable them in the clientssl profile under Advanced. But, what is the correct context to do this?

Thank You

Here is the list

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS128

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK256

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK128

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK256

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK112

TLS 1.1 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS128

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK256

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK112

TLS 1.0 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS128

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK256

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128

TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK112

BIG-IP

LTM

security

Samir_Jha_52506
May 18, 2018
@Rob, Do you want to disable only Weak cipher, which you have pasted in Question section. Let us know.

Simon_Blakely
Employee
May 18, 2018
Yes, you need to set this in the clientSSL profile applied to the virtual.

You can also create a clientssl profile that specifies your selected ciphers, and use that profile as the parent profile for the Virtual server specific clientssl profiles. Then if you need to change the ciphers set for all your virtuals, you can update the parent and change all the child profiles at once.

Do NOT modify the default clientSSL profile
Samir_Jha_52506
Noctilucent
May 18, 2018
@Rob, Do you want to disable only Weak cipher, which you have pasted in Question section. Let us know.
- Rob_Higginbotha
  Nimbostratus
  May 18, 2018
  I want to disable only the ciphers I noted as weak
  
  Thanks
- Samir_Jha_52506
  Noctilucent
  May 19, 2018
  Disable below cipher in-order to eliminate weak cipher list. I have tested in v12 and all weak cipher gone. Suggest you to test in LAB environment and share feedback. Most important thing, don't play with default
  client-ssl
  profile which has pointed by @SBlakely
  
  Find the weak cipher list as per above question .
  
  AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA DES-CBC3-SHA
  
  TLS 1.1 (Weak suites in server-preferred order)
  
  AES256-SHA AES128-SHA DES-CBC3-SHA
  
  TLS 1.0 (Weak suites in server-preferred order)
  
  AES256-SHA AES128-SHA DES-CBC3-SHA
- Rob_Higginbotha
  Nimbostratus
  May 31, 2018
  My Apologies for being dumb - So, I copy the above list in the "Ciphers" section in the clientssl profile that I created? Anything else? What am I missing?
  
  Thank you for your help
  
  When I try this I'm getting an error
  
  01070312:3: Invalid keyword ' aes256-sha256' in ciphers list for profile /Common/clientssl-test-cyphers
  
  Cipher List to insert.
  
  AES256-SHA256: AES128-SHA256: AES256-SHA: AES128-SHA: DES-CBC3-SHA: AES256-SHA: AES128-SHA: DES-CBC3-SHA: AES256-SHA: AES128-SHA: DES-CBC3-SHA: