Forum Discussion

Pat_70435's avatar
Pat_70435
Icon for Altocumulus rankAltocumulus
Mar 10, 2017

Excluding Cipher List

I'm attempting to remove a specific Cipher stream from a Client SSL Profile.

I can't seem to exclude the specific two streams from the Cipher List.

Any help would be appreciated.

I need to exclude -

ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA 

I am using

ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES

I can't get an exclusion to remove the two cipher streams I want.

This link was a great help,

https://devcentral.f5.com/articles/cipher-suite-practices-and-pitfalls-25564

but I can't get it to function the way I want it to.

  • Are you only looking to exclude those two specific ciphers? Does the following not work for your requirement:

     

    !ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:ECDHE+AES-GCM:NATIVE:!EXPORT:!DES

     

  • This seems to work for me:

    tmm --clientciphers '!ECDHE-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:ECDHE+AES-GCM:NATIVE:!EXPORT:!DES'

    Can you post your output and identify the ciphers that you think should be excluded but still show up ?

    Just a word of caution, the cipher list that you are using is still weak. If you are looking to provide better security, I would recommend checking this out.