Most up to date Cipher Suite for version 14.1.x to increase BitSight findings?

Trying to improve some BitSight findings on our externally hosted sites. Bitsight is kind of vague on its findings and explanations. I know there used to be a page somewhere that had up to date Cipher Suite strings to enter into your SSL profiles but I am unable to find it. I am only able to find the docs that explain how to change the string in the profile. Any help will be appreciated.

security

MegaZone
Aug 29, 2023
These are the default 14.1.x ciphers: https://my.f5.com/manage/s/article/K54125331
And these are all the 14.1.x ciphers: https://my.f5.com/manage/s/article/K97098157

I'd probably kill all TLSv1.0 and v1.1 ciphers to start:
DEFAULT:!TLSv1:!TLSv1_1

In 14.1.x the DHE key is 1024 bit, which can get you dinged, so probably turn those off:
DEFAULT:!TLSv1:!TLSv1_1:!DHE

If this doesn't do it, probably remove RSA (key exchange) & SHA1 ciphers:
DEFAULT:!TLSv1:!TLSv1_1:!DHE:!RSA:!SHA

That wil basically bring you to a subset of ECDHE ciphers with SHA256/SHA384.

Paulius
MVP
Aug 21, 2023
SMP73 If you know what can't exist in your ciphers it might be easier to use cipher groups rather than attempting to find the specific string to use.

https://my.f5.com/manage/s/article/K10866411
- SMP73
  Altostratus
  Aug 21, 2023
  Thanks yeah, as mentioned, I can find countless articles on the process to do this, I am just unable to find a "recommended/best practice" cipher suite like I used to be able to. It looks like there used to be a guy here that would post cipher suites that you could cut and paste that were up to current standards , but looks like this is no longer here. It looks like I now need to check some security body for best practices and do some translation on what ciphers whis equates to in the F5 naming convention and format for the cipher suites.
  - Paulius
    MVP
    Aug 21, 2023
    SMP73 I would start by creating a new Client SSL Profile and using the secure parent profile. After that you can run a scan using site https://www.ssllabs.com/ssltest/ or various other sites to see what might not be the setting for you. This should provide a human readable list as to what is not the optimal ciphers that you have available. Once you have that human readable list that should match up one to one in the cipher group where you can exclude the ciphers that are causing the lower security rating.
LiefZimmerman
Admin
Aug 28, 2023
Might be too old (or off track) but MegaZone had a good practice article on Cipher Suites here:
Cipher Suite Practices and Pitfalls - DevCentral

Maybe that helps?
- MegaZone
  SIRT
  Aug 29, 2023
  These are the default 14.1.x ciphers: https://my.f5.com/manage/s/article/K54125331
  And these are all the 14.1.x ciphers: https://my.f5.com/manage/s/article/K97098157
  
  I'd probably kill all TLSv1.0 and v1.1 ciphers to start:
  DEFAULT:!TLSv1:!TLSv1_1
  
  In 14.1.x the DHE key is 1024 bit, which can get you dinged, so probably turn those off:
  DEFAULT:!TLSv1:!TLSv1_1:!DHE
  
  If this doesn't do it, probably remove RSA (key exchange) & SHA1 ciphers:
  DEFAULT:!TLSv1:!TLSv1_1:!DHE:!RSA:!SHA
  
  That wil basically bring you to a subset of ECDHE ciphers with SHA256/SHA384.
  - SMP73
    Altostratus
    Aug 29, 2023
    Thank you! This is exactly what I was looking for. Yes it did ding for the DHE key being 1024 bit as well as the TLS versions. This is a big help. Kind of swamped day to day and haven't had a chance to really read the details of all of the documentation on this and keep getting emails from cyber/soc. Thank you!