Forum Discussion

Altostratus

Aug 18, 2023

Most up to date Cipher Suite for version 14.1.x to increase BitSight findings?

Trying to improve some BitSight findings on our externally hosted sites. Bitsight is kind of vague on its findings and explanations. I know there used to be a page somewhere that had up to date Cip...

security

MegaZone
Aug 29, 2023
These are the default 14.1.x ciphers: https://my.f5.com/manage/s/article/K54125331
And these are all the 14.1.x ciphers: https://my.f5.com/manage/s/article/K97098157

I'd probably kill all TLSv1.0 and v1.1 ciphers to start:
DEFAULT:!TLSv1:!TLSv1_1

In 14.1.x the DHE key is 1024 bit, which can get you dinged, so probably turn those off:
DEFAULT:!TLSv1:!TLSv1_1:!DHE

If this doesn't do it, probably remove RSA (key exchange) & SHA1 ciphers:
DEFAULT:!TLSv1:!TLSv1_1:!DHE:!RSA:!SHA

That wil basically bring you to a subset of ECDHE ciphers with SHA256/SHA384.

LiefZimmerman

Admin

Aug 28, 2023

Might be too old (or off track) but MegaZone had a good practice article on Cipher Suites here:
Cipher Suite Practices and Pitfalls - DevCentral

Maybe that helps?

MegaZone
SIRT
Aug 29, 2023
These are the default 14.1.x ciphers: https://my.f5.com/manage/s/article/K54125331
And these are all the 14.1.x ciphers: https://my.f5.com/manage/s/article/K97098157

I'd probably kill all TLSv1.0 and v1.1 ciphers to start:
DEFAULT:!TLSv1:!TLSv1_1

In 14.1.x the DHE key is 1024 bit, which can get you dinged, so probably turn those off:
DEFAULT:!TLSv1:!TLSv1_1:!DHE

If this doesn't do it, probably remove RSA (key exchange) & SHA1 ciphers:
DEFAULT:!TLSv1:!TLSv1_1:!DHE:!RSA:!SHA

That wil basically bring you to a subset of ECDHE ciphers with SHA256/SHA384.
- SMP73
  Altostratus
  Aug 29, 2023
  Thank you! This is exactly what I was looking for. Yes it did ding for the DHE key being 1024 bit as well as the TLS versions. This is a big help. Kind of swamped day to day and haven't had a chance to really read the details of all of the documentation on this and keep getting emails from cyber/soc. Thank you!
  - MegaZone
    SIRT
    Aug 29, 2023
    In addition to turning off TLSv1.0 and v1.1 in the ciphers, you should turn off the protocols in the VIP - see https://community.f5.com/t5/technical-articles/cipher-suite-practices-and-pitfalls/ta-p/291127 which talks about that, amongst other things. (That's what Lief linked above.) Old article, but a lot of it still works. 🙂