Forum Discussion
NimbostratusDoes BIG-IP Version 12.1.3.5 Point Release 5 support 3DES and SSLv3
Security scanning is stating the Bigip 3600 is supporting 3DES and SSLv3. I do not see this option in the cipher list. I see it defined when creating default https monitor; cipherlist DEFAULT:+SHA:+3DES:+kEDH Admitting am a bit confused. Any thoughts? Thanks. Dave
Dave_McCauley_3Cirrostratus
Are they saying a VIP on the device is configured for it, or the management GUI? Perhaps it's a generic message saying that the platform supports SSLv3 but not necessarily that you have it enabled?
Running tmm --clientciphers 'SSLv3' on a v13.1 VE shows that I could enable 20 different SSLv3 ciphers, but by default, the ssl cipher string doesn't have them listed.
If you have a non-custom cipher string in the ssl profiles in use, run that command with them in between the quotes to see what ciphers are configured.
daveferrier_202Hi Dave. Thanks for the reply.
Actually they are pointing to a vip ip. and also complaining about the physical ip of the bigip.
I ran the tmm --clientciphers 'SSLv3' and tmm --clientciphers '3DES' and it came back with a similar response.
All of the ssl profiles in use are defined to use default settings.
I am going to try to negate the weak ciphers in specific profiles.
- Chris_Grant
Employee
Dave already answered this in part, but you can see all the supported ciphers here:
https://support.f5.com/csp/article/K13163
All default ciphers are listed here:
https://support.f5.com/csp/article/K13156
DES and SSLv3 are supported, but SSLv3 has been disabled by default for quite some time:
https://support.f5.com/csp/article/K15022