Forum Discussion

Altostratus

Aug 18, 2023

Most up to date Cipher Suite for version 14.1.x to increase BitSight findings?

Trying to improve some BitSight findings on our externally hosted sites. Bitsight is kind of vague on its findings and explanations. I know there used to be a page somewhere that had up to date Cip...

security

MegaZone
Aug 29, 2023
These are the default 14.1.x ciphers: https://my.f5.com/manage/s/article/K54125331
And these are all the 14.1.x ciphers: https://my.f5.com/manage/s/article/K97098157

I'd probably kill all TLSv1.0 and v1.1 ciphers to start:
DEFAULT:!TLSv1:!TLSv1_1

In 14.1.x the DHE key is 1024 bit, which can get you dinged, so probably turn those off:
DEFAULT:!TLSv1:!TLSv1_1:!DHE

If this doesn't do it, probably remove RSA (key exchange) & SHA1 ciphers:
DEFAULT:!TLSv1:!TLSv1_1:!DHE:!RSA:!SHA

That wil basically bring you to a subset of ECDHE ciphers with SHA256/SHA384.

SMP73

Altostratus

Thanks yeah, as mentioned, I can find countless articles on the process to do this, I am just unable to find a "recommended/best practice" cipher suite like I used to be able to. It looks like there used to be a guy here that would post cipher suites that you could cut and paste that were up to current standards , but looks like this is no longer here. It looks like I now need to check some security body for best practices and do some translation on what ciphers whis equates to in the F5 naming convention and format for the cipher suites.

Paulius

MVP

Aug 21, 2023

SMP73 I would start by creating a new Client SSL Profile and using the secure parent profile. After that you can run a scan using site https://www.ssllabs.com/ssltest/ or various other sites to see what might not be the setting for you. This should provide a human readable list as to what is not the optimal ciphers that you have available. Once you have that human readable list that should match up one to one in the cipher group where you can exclude the ciphers that are causing the lower security rating.

SMP73
Altostratus
Aug 21, 2023
Ok, thats kind of where I am right now, just trying to cross reference it all and translate the terminology into F5's syntax. Further question though, when i modified the in use SSl profile to remove the "No TLSv1.3" option, and saved it, SSL labs still did not show TLS 1.3 enabled. I tried switching SSL Profiles and saving then switching back and saving, and it still does not show up on SSL Labs. Is there some trick to get modfications to SSL profiles to take?

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Most up to date Cipher Suite for version 14.1.x to increase BitSight findings?

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

Increased Security With First Party Cookies

Enhance Performance and Increase Scalability with F5 BIG-IP on HPE GreenLake

Increase Security in AWS without Rearchitecting your Applications - Part 1: Tuesday

Increase Security in AWS without Rearchitecting your Applications - Part 2: Wednesday Morning

Increase Security in AWS without Rearchitecting your Applications - Part 3: Wednesday Afternoon

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS