For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Saidur900's avatar
Saidur900
Icon for Nimbostratus rankNimbostratus
Sep 30, 2021

How to make strong the weak cipher

Hi All Already I have a cipher suite which already assigned. But in SSL Labs I found Cipher Suites# TLS 1.2 (suites in server-preferred order) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECD...
application delivery
BIG-IP
Fallout1984's avatar
Fallout1984
Icon for Cirrocumulus rankCirrocumulus
Oct 01, 2021

Saidur,

 

Here is a suggestion for ciphers to make a cert more secure (ie. to get an "A+" when checked via ssllabs.com):

 

DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH

 

And then for the options, disallow:

 

TLSv1, TLSv1.1, SSLv2 and SSLv3.

 

What the "@STRENGTH" option does is prioritize the stronger ciphers. You could add that at the end of your cipher list and that would help, but ideally you want to disallow the weaker ciphers.

 

You can look at the preferred cipher list and order that a setting will give you by logging into your F5 via the CLI and entering this command (using DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH as an example):

 

tmm --clientciphers 'DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH'

 

Hopefully, this helps.

Alan