Forum Discussion
Aditya_Mehra
Cirrus
CirrusHow to remove only DES from the chipher list
Hi, Do not want to use DES in the below... How can I disable the DES (in bold) from below list? MEDIUIM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-...
If you want to remove all ciphersuites that use DES, you can use the following:
ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA, which is based on the defaul values in the clientssl-secure profile in BIG-IP v13.1 and provides the following ciphersuites:
v13.1:
# tmm --clientciphers 'ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 1: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 2: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 3: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 4: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 5: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 6: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 8: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 9: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 10: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 11: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 12: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 13: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 14: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 15: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 16: 65 CAMELLIA128-SHA 128 TLS1 Native CAMELLIA SHA RSA 17: 65 CAMELLIA128-SHA 128 TLS1.1 Native CAMELLIA SHA RSA 18: 65 CAMELLIA128-SHA 128 TLS1.2 Native CAMELLIA SHA RSA 19: 132 CAMELLIA256-SHA 256 TLS1 Native CAMELLIA SHA RSA 20: 132 CAMELLIA256-SHA 256 TLS1.1 Native CAMELLIA SHA RSA 21: 132 CAMELLIA256-SHA 256 TLS1.2 Native CAMELLIA SHA RSAin v11.6.4:
# tmm --clientciphers 'ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 6: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 7: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA 8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 9: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 10: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 12: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 13: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 14: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 15: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 16: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 17: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 18: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 19: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 20: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 21: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 22: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 23: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 24: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA.
[Edited]
JG
Cumulonimbus
CumulonimbusYou have already explicitly excluded those cipher suites in the list.
Please see K25220232: Understanding the BIG-IP SSL/TLS cipher string format.
Aditya_MehraCirrus
CirrusHi JG,
So by adding " - " infront of DES everywhere disables the DES ? ( - means disable the selected cipher suites unless selected again later in the string.)
Also, is there a need to add " ! " anywhere?.. if we dont want to use it later as well.
Thanks,
Aditya
- JG
As it is, your list disables the specified ciphersuites, such as "EDH-RSA-DES-CBC3-SHA", which uses the DES bulk cipher.
I suspect these cipher suites are really not the problem as they are already excluded. What exactly are you being requested to achieve?
- Aditya_Mehra
Thanks JG, just need to disable DES being used, i got your point.
Just another thing - can i modify like the below using :!DES:
MEDIUM:HIGH:-SSLv2:-aNULL:!DES:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA
- JG
Not very effective:
# tmm --clientciphers 'MEDIUM:HIGH:-SSLv2:-aNULL:!DES:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA' |grep DES 53: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA 54: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 55: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA 56: 49165 ECDH-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDH_RSA 57: 49165 ECDH-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDH_RSA 58: 49165 ECDH-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDH_RSA 59: 49160 ECDHE-ECDSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_ECDSA 60: 49160 ECDHE-ECDSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_ECDSA 61: 49160 ECDHE-ECDSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_ECDSA 62: 49155 ECDH-ECDSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDH_ECDSA 63: 49155 ECDH-ECDSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDH_ECDSA 64: 49155 ECDH-ECDSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDH_ECDSA 65: 22 DHE-RSA-DES-CBC3-SHA 168 SSL3 Native DES SHA EDH/RSA 66: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA EDH/RSA 67: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA EDH/RSA 68: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA EDH/RSA 69: 22 DHE-RSA-DES-CBC3-SHA 168 DTLS1 Native DES SHA EDH/RSA 70: 27 ADH-DES-CBC3-SHA 168 SSL3 Native DES SHA ADH 71: 27 ADH-DES-CBC3-SHA 168 TLS1 Native DES SHA ADHfor you will need to explicitly remove all these as well.
- Aditya_Mehra
Got it!
