For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

NicoTinusBeheer's avatar
NicoTinusBeheer
Icon for Nimbostratus rankNimbostratus
Oct 29, 2021

F5 Hardened Cipher suite profile (pentest recommendation)

We have a pentest report that wants to DISABLE the following ciphers from our f5 profile; (we currently use 'f5-secure' & they want us to remove some ciphers from that to comply to the recommendatio...
BIG-IP
LTM
security
SSL Cipher group
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Oct 30, 2021

Hi ,

try this string for Cipher Suites: ECDHE:RSA:ECDHE_ECDSA:!SSLV3:!RC4:!EXP:!DES:!3DES:TLSV1_3:!CAMELLIA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES256-SHA:!AES128-SHA256:!AES256-SHA256

Maybe someone can do it more elegant... but it should suit your requirements.

[root@awaf16:Active:Standalone] config # tmm --clientciphers 'ECDHE:RSA:ECDHE_ECDSA:!SSLV3:!RC4:!EXP:!DES:!3DES:TLSV1_3:!CAMELLIA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES256-SHA:!AES128-SHA256:!AES256-SHA256' | awk '{ print $3 }'
BITS
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-CHACHA20-POLY1305-SHA256
ECDHE-RSA-CHACHA20-POLY1305-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
TLS13-AES128-GCM-SHA256
TLS13-AES256-GCM-SHA384
TLS13-CHACHA20-POLY1305-SHA256

 I found this link useful for building cipher strings:

https://wiki.mozilla.org/Security/Cipher_Suites

KR

Daniel

EDIT: maybe it is easier to build a string when you tell us what you want to be available, rather than telling us what should be removed.