Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Aditya_Mehra's avatar
Aditya_Mehra
Icon for Cirrus rankCirrus
Sep 03, 2019
Solved

How to remove only DES from the chipher list

Hi, Do not want to use DES in the below... How can I disable the DES (in bold) from below list?   MEDIUIM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-...
big-ip
Chiper
DES
security
ssl
Aditya_Mehra's avatar
Aditya_Mehra
Icon for Cirrus rankCirrus
Sep 03, 2019

Hi JG,

So by adding " - " infront of DES everywhere disables the DES ? ( - means disable the selected cipher suites unless selected again later in the string.)

 

Also, is there a need to add " ! " anywhere?.. if we dont want to use it later as well.

 

 

Thanks,

Aditya

 

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Sep 03, 2019

    As it is, your list disables the specified ciphersuites, such as "EDH-RSA-DES-CBC3-SHA", which uses the DES bulk cipher.

     

    I suspect these cipher suites are really not the problem as they are already excluded. What exactly are you being requested to achieve?

  • Aditya_Mehra's avatar
    Aditya_Mehra
    Icon for Cirrus rankCirrus
    Sep 04, 2019

    Thanks JG, just need to disable DES being used, i got your point.

    Just another thing - can i modify like the below using :!DES:

     

    MEDIUM:HIGH:-SSLv2:-aNULL:!DES:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Sep 04, 2019

    Not very effective:

     # tmm --clientciphers 'MEDIUM:HIGH:-SSLv2:-aNULL:!DES:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA' |grep DES
53: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1    Native  DES       SHA     ECDHE_RSA 
54: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.1  Native  DES       SHA     ECDHE_RSA 
55: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.2  Native  DES       SHA     ECDHE_RSA 
56: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1    Native  DES       SHA     ECDH_RSA  
57: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1.1  Native  DES       SHA     ECDH_RSA  
58: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1.2  Native  DES       SHA     ECDH_RSA  
59: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1    Native  DES       SHA     ECDHE_ECDSA
60: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.1  Native  DES       SHA     ECDHE_ECDSA
61: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.2  Native  DES       SHA     ECDHE_ECDSA
62: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1    Native  DES       SHA     ECDH_ECDSA
63: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1.1  Native  DES       SHA     ECDH_ECDSA
64: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1.2  Native  DES       SHA     ECDH_ECDSA
65:    22  DHE-RSA-DES-CBC3-SHA             168  SSL3    Native  DES       SHA     EDH/RSA   
66:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1    Native  DES       SHA     EDH/RSA   
67:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1.1  Native  DES       SHA     EDH/RSA   
68:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1.2  Native  DES       SHA     EDH/RSA   
69:    22  DHE-RSA-DES-CBC3-SHA             168  DTLS1   Native  DES       SHA     EDH/RSA   
70:    27  ADH-DES-CBC3-SHA                 168  SSL3    Native  DES       SHA     ADH       
71:    27  ADH-DES-CBC3-SHA                 168  TLS1    Native  DES       SHA     ADH

    for you will need to explicitly remove all these as well.

  • Aditya_Mehra's avatar
    Aditya_Mehra
    Icon for Cirrus rankCirrus
    Sep 04, 2019

    Got it!

Recent Discussions