Forum Discussion
Moinul_Rony
Altostratus
AltostratusHow to disable CIPHER for and Disable TCP time stamp on F5 ?
Hi,
We have just being chased by PCI Compliance about having vulnerabily that detected WEAK CIPHER support and TCP Timestamp being turned ON.
--Report say our application:
Negotiated with the fol...
nitass
Employee
Employeei normally see people using cipher string from this sol if there is no special requirement.
sol13171: Configuring the cipher strength for SSL profiles (11.x)
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html
for tcp timestamp, is it this one?
TCP timestamp response
http://www.rapid7.com/db/vulnerabilities/generic-tcp-timestamp
sol8072: Obtaining uptime information from TCP timestamps
http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8072.html
- Moinul_RonyThanks, on another point PCI scan pointed out absense of "Forward Secrecy with the reference browsers". Can this be implemented/enforced via F5?
- nitassdh is natively supported in 11.2.1 Diffie-Hellman SSL key exchange cipher The Diffie-Hellman SSL key exchange cipher, which provides perfect forward secrecy (PFS), is now included natively. This provides better performance for configurations using Diffie-Hellman, especially on physical platforms that have hardware SSL acceleration. Release Note: BIG-IP LTM and TMOS 11.2.1 http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-2-1.html
- Moinul_RonyUnfortunately we are using 11.2.0. Any chance to enforce DH ?
- nitassdh is supported in compat ssl stack in 11.2.0. sol13163: SSL ciphers supported on BIG-IP platforms (11.x) http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html
- Moinul_Ronysorry but enabling COMPAT cipher brought down the grading to F in SSLLABS.
- nitassyou can list cipher using tmm --clientciphers command. tmm --clientciphers (cipher string)
