Forum Discussion

paragon's avatar
paragon
Icon for Altostratus rankAltostratus
Jun 09, 2023
Solved

Disabling Specific Weak Cipher Suites

I need help disabling specific cipher suites for a client. I've read the documentation but don't know enough about these chipher suites to come up with the correct string to disable them in the SSL p...
security
  • whisperer's avatar
    whisperer
    Jun 09, 2023

    This would the server side SSL profile then. Usually be default a generic SSL profile is used on server side, but you can create a specific one for this particular application.

    Now, there is one more concern. You can disable the ciphers on the server and don't have to on the F5. Why? Both the F5 and server need to both support and agree upon a cipher version. So if the server is not presenting it as available in the initial handshake, the F5 simply will not use/select it. That said... have you asked the server team what ciphers are still supported? You want to make sure the F5 supports what the server is requesting now... newer versions of BIG-IP support newer ciphers, so maybe a newer software BIGIP version may be needed to support what the servers now advertise.

paragon's avatar
paragon
Icon for Altostratus rankAltostratus

whisperer I'm looking to disable the ciphers in the list above on the server side. The application no longer supports them and F5 is unable to communicate with the app server when the ciphers are removed from the server. Is there an SSL profile specific to the server side? Sorry, I don't have access to F5 and trying to walk our client through this. I think they were trying to edit the SSL profile for the domain at Local Traffic > Profiles SSL Client.

whisperer's avatar
whisperer
Icon for MVP rankMVP
Jun 09, 2023

This would the server side SSL profile then. Usually be default a generic SSL profile is used on server side, but you can create a specific one for this particular application.

Now, there is one more concern. You can disable the ciphers on the server and don't have to on the F5. Why? Both the F5 and server need to both support and agree upon a cipher version. So if the server is not presenting it as available in the initial handshake, the F5 simply will not use/select it. That said... have you asked the server team what ciphers are still supported? You want to make sure the F5 supports what the server is requesting now... newer versions of BIG-IP support newer ciphers, so maybe a newer software BIGIP version may be needed to support what the servers now advertise.

  • paragon's avatar
    paragon
    Icon for Altostratus rankAltostratus
    Jun 09, 2023

    Ok, this is starting to make more sense to me. Thank you! I have the supported list of ciphers from the server team so it sounds like none of the supported ciphers are available in that defaul ssl profile used on the server side and that's why it can't negotiate a connection when they remove the weak ciphers. I'll help them find the correct profile and verify this theory. Sounds like we'll just need to assign a profile on the server side that has supported ciphers available. I see some of the supported ciphers on the client side using the Qualsys SSL checker so I assume there would have to be some available ciphers on BIGIP version they are using. And the link Paulius sent looks like it covers setting up a new profile with specific ciphers. Hopefuly I can help them sort this out this afternoon. Thank you both so much for your help!