Forum Discussion
paragon
Altostratus
AltostratusDisabling Specific Weak Cipher Suites
I need help disabling specific cipher suites for a client. I've read the documentation but don't know enough about these chipher suites to come up with the correct string to disable them in the SSL profile.
Part two of my question is, what this impacts. Does this impact the suites used from F5 to the server or just the connection between client and F5 or both?
These are the cipher suites being deprecated on the server side behind F5:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK
Thanks!
Zach
This would the server side SSL profile then. Usually be default a generic SSL profile is used on server side, but you can create a specific one for this particular application.
Now, there is one more concern. You can disable the ciphers on the server and don't have to on the F5. Why? Both the F5 and server need to both support and agree upon a cipher version. So if the server is not presenting it as available in the initial handshake, the F5 simply will not use/select it. That said... have you asked the server team what ciphers are still supported? You want to make sure the F5 supports what the server is requesting now... newer versions of BIG-IP support newer ciphers, so maybe a newer software BIGIP version may be needed to support what the servers now advertise.
- Paulius
MVP
paragon Sadly I don't know the string off the top of my head to disable these specific ciphers but you can use the following article to configure the exact ciphers that you need to use. Making this change will change the ciphers where you configure that cipher group only and not the entire F5. If you figure out what cipher string will disable these ciphers specifically then that would change the ciphers used for all virtual servers using the SSL client profile.
- whisperer
Which ciphers are you looking to disable? You mentioned which are F5 deprecated, but did not indicate what you want to use?
You can modify the SSL negotiation process on either the client or server side, using the respective profiles. Usually on the client side, you want to use secure EC ciphers, high encryption, etc. Probably want to disable older SSLvX and earlier TLS. On the server side, this is generally less critical of you are proxying the connection via the F5 BIG-IP. Many times times servers are old and application teams are loath to upgrade, either their OS or software. So, more insecure ciphers are usually used on the server side as a workaround, but then on the client side, accessible to users, you enforce the stronger suites.
paragonwhisperer I'm looking to disable the ciphers in the list above on the server side. The application no longer supports them and F5 is unable to communicate with the app server when the ciphers are removed from the server. Is there an SSL profile specific to the server side? Sorry, I don't have access to F5 and trying to walk our client through this. I think they were trying to edit the SSL profile for the domain at Local Traffic > Profiles > SSL > Client.
- whisperer
This would the server side SSL profile then. Usually be default a generic SSL profile is used on server side, but you can create a specific one for this particular application.
Now, there is one more concern. You can disable the ciphers on the server and don't have to on the F5. Why? Both the F5 and server need to both support and agree upon a cipher version. So if the server is not presenting it as available in the initial handshake, the F5 simply will not use/select it. That said... have you asked the server team what ciphers are still supported? You want to make sure the F5 supports what the server is requesting now... newer versions of BIG-IP support newer ciphers, so maybe a newer software BIGIP version may be needed to support what the servers now advertise.
