Forum Discussion

Nimbostratus

Sep 30, 2021

How to make strong the weak cipher

Hi All Already I have a cipher suite which already assigned. But in SSL Labs I found Cipher Suites# TLS 1.2 (suites in server-preferred order) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECD...

application delivery

BIG-IP

Fallout1984

Cirrocumulus

Oct 01, 2021

Saidur,

Here is a suggestion for ciphers to make a cert more secure (ie. to get an "A+" when checked via ssllabs.com):

DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH

And then for the options, disallow:

TLSv1, TLSv1.1, SSLv2 and SSLv3.

What the "@STRENGTH" option does is prioritize the stronger ciphers. You could add that at the end of your cipher list and that would help, but ideally you want to disallow the weaker ciphers.

You can look at the preferred cipher list and order that a setting will give you by logging into your F5 via the CLI and entering this command (using DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH as an example):

tmm --clientciphers 'DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH'

Hopefully, this helps.

Alan

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

How to make strong the weak cipher

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

Lightboard Lessons: Choosing Strong vs Weak Ciphers

Strong Authentication

Making EKS Anywhere Highly Available and Secure

Cipher suite mismatch advertisement/warning

Making Mobile SDK Integration Ridiculously Easy with F5 XC Mobile SDK Integrator

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS