For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hugo_van_der_K1's avatar
Hugo_van_der_K1
Icon for Altostratus rankAltostratus
Mar 06, 2020

How to build very specific Cipher string?

How can I specify a very specific Cipher string? The object is to only allow the ciphers below and offer them in this specific order.   TLS13-AES256-GCM-SHA384/TLS1.3 TLS13-CHACHA20-POLY1305-SH...
BIG-IP
cipher
LTM
security
Jean-Michel_Aud's avatar
Jean-Michel_Aud
Icon for Nimbostratus rankNimbostratus
Mar 12, 2020

I removed the CBC Ciphers to be compliant with SSL Labs weak ciphers list :

 

TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1:!TLSv1_1

Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Mar 12, 2020

In general, I would make the same recommendation, but the original request was for a specific set of ciphers. There are still some older clients that require CBC ciphers, and cannot be upgraded easily (embedded devices like Smart Meters, for example).