Forum Discussion
Sriram_Shanmuga
Altostratus
AltostratusHow to disable weak cipher from Client SSL Profile
Hi, We have disabled few ciphers and we have rating "A" in qualys ssl checker portal. We have a requirement to disable weak ciphers as well.
Could some one advice how to disable weak ciphers. Please find the attachment for reference.
Thanks
By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.
ka1021Hi Sriram,
Your can disable weak ciphers by putting following cipher string in clientssl_profile Local Traffic ›› Profiles : SSL : Client >> Ciphers (Cipher String) DEFAULT:!RSA:!DES:!3DES:!DHE
Also have a look at below KB articles: For 11.x - https://support.f5.com/csp/article/K13171 For 12.x - https://support.f5.com/csp/article/K13170
Regards, Kaustubh
Sriram_ShanmugaHi Kaustubh,
Thanks for your suggestions. I will update you once the changes has been made.
thanks Sriram
- Sriram_Shanmuga
Hi Kaustubh,
I have made the changes suggested by you and i got the below output from ssl checker.
Thanks for your suggestions
Regards Sriram
- Sriram_Shanmuga
Hi Kaustubh,
After the change the TLS 1.0,1.1 was enabled.
Our requirement is to have TLS 1.2 alone and rest all protocols should be disable.
Please suggest a cipher for this requirement.
ka1021_129079Altocumulus
Hi Sriram,
Your can disable weak ciphers by putting following cipher string in clientssl_profile Local Traffic ›› Profiles : SSL : Client >> Ciphers (Cipher String) DEFAULT:!RSA:!DES:!3DES:!DHE
Also have a look at below KB articles: For 11.x - https://support.f5.com/csp/article/K13171 For 12.x - https://support.f5.com/csp/article/K13170
Regards, Kaustubh
- Sriram_Shanmuga
Hi Kaustubh,
Thanks for your suggestions. I will update you once the changes has been made.
thanks Sriram
- Sriram_Shanmuga
Hi Kaustubh,
I have made the changes suggested by you and i got the below output from ssl checker.
Thanks for your suggestions
Regards Sriram
- Sriram_Shanmuga
Hi Kaustubh,
After the change the TLS 1.0,1.1 was enabled.
Our requirement is to have TLS 1.2 alone and rest all protocols should be disable.
Please suggest a cipher for this requirement.
Lokesh_R_365525Nimbostratus
By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.
- Sriram_Shanmuga
Hi Lokesh,
Thanks for your suggestions.
After making the changes, i got the below output.
Lokesh_RBy using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.
- Sriram_Shanmuga
Hi Lokesh,
Thanks for your suggestions.
After making the changes, i got the below output.
RaghavendraSYPlease try below one: DEFAULT:!SSLv2:!SSLv3:!TLSv1:!RC4:!RSA:!ADH:!EXP
Dhebal76Hello.
I realize this article is 3 years old, but i am facing a similar issue. From our Sec team, they want us to disable CBC Ciphers. They are showing up as weak on a Qualys SSL Scan. I have tried using "!CBC" in my cipher string, but it wont let me save that. Currently we use the following in our Cipher Strings in the SSL Profile below. Any help would be appreciated
DEFAULT:!TLSv1:!TLSv1_1:!DES:!RC4:!DHE
- Mmathew-AMS
Hi Dhebal76, did you get to solve this problem. Pls share the Cypher string used
- iHugoF
This worked for me:
ECDHE:!RSA:ECDHE_ECDSA:!SSLV3:!RC4:!EXP:!DES:!3DES:TLSV1_3:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256