Forum Discussion
NicoTinusBeheer
Oct 29, 2021Nimbostratus
F5 Hardened Cipher suite profile (pentest recommendation)
We have a pentest report that wants to DISABLE the following ciphers from our f5 profile; (we currently use 'f5-secure' & they want us to remove some ciphers from that to comply to the recommendatio...
Daniel_Wolf
Oct 30, 2021MVP
Hi ,
try this string for Cipher Suites: ECDHE:RSA:ECDHE_ECDSA:!SSLV3:!RC4:!EXP:!DES:!3DES:TLSV1_3:!CAMELLIA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES256-SHA:!AES128-SHA256:!AES256-SHA256
Maybe someone can do it more elegant... but it should suit your requirements.
[root@awaf16:Active:Standalone] config # tmm --clientciphers 'ECDHE:RSA:ECDHE_ECDSA:!SSLV3:!RC4:!EXP:!DES:!3DES:TLSV1_3:!CAMELLIA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES256-SHA:!AES128-SHA256:!AES256-SHA256' | awk '{ print $3 }'
BITS
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-CBC-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-CBC-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-CHACHA20-POLY1305-SHA256
ECDHE-RSA-CHACHA20-POLY1305-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
TLS13-AES128-GCM-SHA256
TLS13-AES256-GCM-SHA384
TLS13-CHACHA20-POLY1305-SHA256
I found this link useful for building cipher strings:
https://wiki.mozilla.org/Security/Cipher_Suites
KR
Daniel
EDIT: maybe it is easier to build a string when you tell us what you want to be available, rather than telling us what should be removed.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects