Forum Discussion

paragon's avatar
paragon
Icon for Altostratus rankAltostratus
Jun 09, 2023

Disabling Specific Weak Cipher Suites

I need help disabling specific cipher suites for a client. I've read the documentation but don't know enough about these chipher suites to come up with the correct string to disable them in the SSL p...
security
  • whisperer's avatar
    whisperer
    Jun 09, 2023

    This would the server side SSL profile then. Usually be default a generic SSL profile is used on server side, but you can create a specific one for this particular application.

    Now, there is one more concern. You can disable the ciphers on the server and don't have to on the F5. Why? Both the F5 and server need to both support and agree upon a cipher version. So if the server is not presenting it as available in the initial handshake, the F5 simply will not use/select it. That said... have you asked the server team what ciphers are still supported? You want to make sure the F5 supports what the server is requesting now... newer versions of BIG-IP support newer ciphers, so maybe a newer software BIGIP version may be needed to support what the servers now advertise.

Paulius's avatar
Paulius
Icon for MVP rankMVP
Jun 09, 2023

paragon Sadly I don't know the string off the top of my head to disable these specific ciphers but you can use the following article to configure the exact ciphers that you need to use. Making this change will change the ciphers where you configure that cipher group only and not the entire F5. If you figure out what cipher string will disable these ciphers specifically then that would change the ciphers used for all virtual servers using the SSL client profile.

https://my.f5.com/manage/s/article/K10866411

  • paragon's avatar
    paragon
    Icon for Altostratus rankAltostratus
    Jun 09, 2023

    Thanks Paulius ! That article is helpful, I didn't see that one in my searches. Apreciate the help.