Forum Discussion

Aditya_Mehra

Cirrus

Sep 04, 2019

Solved

How to remove only DES from the chipher list

Hi,

Do not want to use DES in the below... How can I disable the DES (in bold) from below list?

MEDIUIM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-EXPORT

Thanks,

Aditya

If you want to remove all ciphersuites that use DES, you can use the following:

ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA

, which is based on the defaul values in the clientssl-secure profile in BIG-IP v13.1 and provides the following ciphersuites:

v13.1:

# tmm --clientciphers 'ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA 
 1: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA 
 2: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
 3: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA 
 4:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA       
 5:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA       
 6:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA       
 7:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA       
 8:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA       
 9:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA       
10:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
11:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA       
12:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA       
13:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA       
14:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA       
15:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA       
16:    65  CAMELLIA128-SHA                  128  TLS1    Native  CAMELLIA  SHA     RSA       
17:    65  CAMELLIA128-SHA                  128  TLS1.1  Native  CAMELLIA  SHA     RSA       
18:    65  CAMELLIA128-SHA                  128  TLS1.2  Native  CAMELLIA  SHA     RSA       
19:   132  CAMELLIA256-SHA                  256  TLS1    Native  CAMELLIA  SHA     RSA       
20:   132  CAMELLIA256-SHA                  256  TLS1.1  Native  CAMELLIA  SHA     RSA       
21:   132  CAMELLIA256-SHA                  256  TLS1.2  Native  CAMELLIA  SHA     RSA

in v11.6.4:

# tmm --clientciphers 'ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA 
 1: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA 
 2: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA 
 3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA 
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA 
 5: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA 
 6: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA 
 7: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA 
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA 
 9: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA 
10: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA 
11: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA 
12: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA 
13:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM  SHA384  RSA       
14:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA       
15:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA       
16:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA       
17:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA       
18:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA       
19:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM  SHA256  RSA       
20:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA       
21:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA       
22:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA       
23:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA       
24:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA

[Edited]

JG
Cumulonimbus
Sep 04, 2019
You have already explicitly excluded those cipher suites in the list.

Please see K25220232: Understanding the BIG-IP SSL/TLS cipher string format.
- Aditya_Mehra
  Cirrus
  Sep 04, 2019
  Hi JG,
  So by adding " - " infront of DES everywhere disables the DES ? ( - means disable the selected cipher suites unless selected again later in the string.)
  
  Also, is there a need to add " ! " anywhere?.. if we dont want to use it later as well.
  
  Thanks,
  Aditya
  - JG
    Cumulonimbus
    Sep 04, 2019
    As it is, your list disables the specified ciphersuites, such as "EDH-RSA-DES-CBC3-SHA", which uses the DES bulk cipher.
    
    I suspect these cipher suites are really not the problem as they are already excluded. What exactly are you being requested to achieve?

Cumulonimbus

Sep 04, 2019

If you want to remove all ciphersuites that use DES, you can use the following:

ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA

, which is based on the defaul values in the clientssl-secure profile in BIG-IP v13.1 and provides the following ciphersuites:

v13.1:

# tmm --clientciphers 'ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA 
 1: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA 
 2: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
 3: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA 
 4:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA       
 5:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA       
 6:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA       
 7:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA       
 8:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA       
 9:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA       
10:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA       
11:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA       
12:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA       
13:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA       
14:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA       
15:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA       
16:    65  CAMELLIA128-SHA                  128  TLS1    Native  CAMELLIA  SHA     RSA       
17:    65  CAMELLIA128-SHA                  128  TLS1.1  Native  CAMELLIA  SHA     RSA       
18:    65  CAMELLIA128-SHA                  128  TLS1.2  Native  CAMELLIA  SHA     RSA       
19:   132  CAMELLIA256-SHA                  256  TLS1    Native  CAMELLIA  SHA     RSA       
20:   132  CAMELLIA256-SHA                  256  TLS1.1  Native  CAMELLIA  SHA     RSA       
21:   132  CAMELLIA256-SHA                  256  TLS1.2  Native  CAMELLIA  SHA     RSA

in v11.6.4:

# tmm --clientciphers 'ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA 
 1: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA 
 2: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA 
 3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA 
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA 
 5: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA 
 6: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA 
 7: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA 
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA 
 9: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA 
10: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA 
11: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA 
12: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA 
13:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM  SHA384  RSA       
14:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA       
15:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA       
16:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA       
17:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA       
18:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA       
19:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM  SHA256  RSA       
20:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA       
21:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA       
22:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA       
23:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA       
24:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA

[Edited]

Aditya_Mehra
Cirrus
Sep 04, 2019
Thanks JG

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

How to remove only DES from the chipher list

Recent Discussions

VS FORWARDING & ROUTE

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

BIG-IP Oauth Client and AS

Related Content

Remove Quotation marks

Removal Cookies on Client Browser

remove www

iRule to Remove Duplicate Header by Value

CVE-2014-3566: Removing SSLv3 from BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS