Forum Discussion
Aditya_Mehra
Cirrus
CirrusHow to remove only DES from the chipher list
Hi, Do not want to use DES in the below... How can I disable the DES (in bold) from below list? MEDIUIM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-...
If you want to remove all ciphersuites that use DES, you can use the following:
ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA, which is based on the defaul values in the clientssl-secure profile in BIG-IP v13.1 and provides the following ciphersuites:
v13.1:
# tmm --clientciphers 'ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 1: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 2: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 3: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 4: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 5: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 6: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 8: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 9: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 10: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 11: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 12: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 13: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 14: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 15: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 16: 65 CAMELLIA128-SHA 128 TLS1 Native CAMELLIA SHA RSA 17: 65 CAMELLIA128-SHA 128 TLS1.1 Native CAMELLIA SHA RSA 18: 65 CAMELLIA128-SHA 128 TLS1.2 Native CAMELLIA SHA RSA 19: 132 CAMELLIA256-SHA 256 TLS1 Native CAMELLIA SHA RSA 20: 132 CAMELLIA256-SHA 256 TLS1.1 Native CAMELLIA SHA RSA 21: 132 CAMELLIA256-SHA 256 TLS1.2 Native CAMELLIA SHA RSAin v11.6.4:
# tmm --clientciphers 'ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 6: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 7: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA 8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 9: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 10: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 12: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 13: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 14: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 15: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 16: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 17: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 18: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 19: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 20: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 21: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 22: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 23: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 24: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA.
[Edited]
JG
Cumulonimbus
CumulonimbusIf you want to remove all ciphersuites that use DES, you can use the following:
ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA, which is based on the defaul values in the clientssl-secure profile in BIG-IP v13.1 and provides the following ciphersuites:
v13.1:
# tmm --clientciphers 'ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
1: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
2: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
3: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
4: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA
5: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
6: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
7: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
8: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
9: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
10: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA
11: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
12: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
13: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
14: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
15: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
16: 65 CAMELLIA128-SHA 128 TLS1 Native CAMELLIA SHA RSA
17: 65 CAMELLIA128-SHA 128 TLS1.1 Native CAMELLIA SHA RSA
18: 65 CAMELLIA128-SHA 128 TLS1.2 Native CAMELLIA SHA RSA
19: 132 CAMELLIA256-SHA 256 TLS1 Native CAMELLIA SHA RSA
20: 132 CAMELLIA256-SHA 256 TLS1.1 Native CAMELLIA SHA RSA
21: 132 CAMELLIA256-SHA 256 TLS1.2 Native CAMELLIA SHA RSA in v11.6.4:
# tmm --clientciphers 'ecdhe:rsa:!sslv3:!rc4:!exp:!des:!DES-CBC3-SHA'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
5: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA
6: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA
7: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
9: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
10: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
12: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
13: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA
14: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
15: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
16: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
17: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
18: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
19: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA
20: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
21: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
22: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
23: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
24: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA.
[Edited]
Aditya_MehraCirrus
CirrusThanks JG
