How to disable weak cipher from Client SSL Profile. (TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x33))

Question

Hi Folks,&nbsp;
We are running BIG-IP LTM 12.1.1. We have already disabled the weak cipher from the Client SSL Profile but still getting Weak Cipher Qualys SSL-Labs rating.&nbsp;
Currently we are having following values in the Client SSL Profile : "DEFAULT:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DHE-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256"&nbsp;
But when adding the value ":!DHE-RSA-DES-CBC3-SHA" which appears in the PT report it give us an error.&nbsp;
Please advise how we can disable it from our Client SSl Profile.&nbsp;
Thanks&nbsp;

morten_marstran · Answer

Hi,
Not sure if this answers your question, but if you seek to score as high as possible on ssl-labs, you should use these ciphers:
ecdhe:rsa:!sslv3:!rc4:!exp:!des:!3des

It will get you an "A" score.
Regards,
Morten

Forum Discussion

How to disable weak cipher from Client SSL Profile. (TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x33))

1 Reply

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

SSH forward proxy

Multiple Default Gateways

ASM Sec-CH-UA-Full-Version-List backquote in Header

Scenarios where Service Policy should be used over iRule and Vice versa

Issue on connection limit

Related Content

Impact of disabling TCP Timestamp in TCP and fasl4 profile

F5 BIG-IP Advanced WAF – DOS profile configuration options.

How to disable weak cipher from Client SSL Profile

Disabling Weak Ciphers

Disable below cipher

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS