Need help in disabling the weak ciphers in Client SSL profile

Question

Hello All,I'm working to disable exporting of weak cipher suties from LTM using Client SSL profile. For example I want to disable the below cipher sutite:TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) then what could be be the ciphers to use in client SSL profile to not export this sipher suites.&nbsp;Could you also share any article which will help to learn on this?&nbsp;Regards,Thiyagu

dario_garrido · Answer

​Hello​Configure cipher strength in your profilehttps://support.f5.com/csp/article/K13171​Cipher List base on your releasehttps://support.f5.com/csp/article/K13156​Recopilation of KB about ciphershttps://support.f5.com/csp/article/K8802​KR, Dario.

dario_garrido · Answer

BTW, "TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)" is weak because of the key exchange (it's not ephemeral).You can configure your ciphersuite as "DEFAULT:!RSA" to avoid using not ephemeral key exchanges.# tmm --clientciphers DEFAULT:\!RSA
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA   
 1:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  EDH/RSA   
 2:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  EDH/RSA   
 3:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES       SHA     EDH/RSA   
 4:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES       SHA     EDH/RSA   
 5:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA   
 6:    57  DHE-RSA-AES256-SHA               256  DTLS1   Native  AES       SHA     EDH/RSA   
 7:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  EDH/RSA   
 8:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES       SHA     EDH/RSA   
 9:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES       SHA     EDH/RSA   
10:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES       SHA     EDH/RSA   
11:    51  DHE-RSA-AES128-SHA               128  DTLS1   Native  AES       SHA     EDH/RSA   
12:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1    Native  DES       SHA     EDH/RSA   
13:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1.1  Native  DES       SHA     EDH/RSA   
14:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1.2  Native  DES       SHA     EDH/RSA   
15:    22  DHE-RSA-DES-CBC3-SHA             168  DTLS1   Native  DES       SHA     EDH/RSA   
16: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA 
17: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA 
18: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA 
19: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA 
20: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA 
21: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA 
22: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA 
23: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA 
24: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA 
25: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA 
26: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1    Native  DES       SHA     ECDHE_RSA 
27: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.1  Native  DES       SHA     ECDHE_RSA 
28: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.2  Native  DES       SHA     ECDHE_RSA KR,Dario.

Forum Discussion

Need help in disabling the weak ciphers in Client SSL profile

2 Replies

Recent Discussions

My Journey to Passing the F5 402 Cloud Solution Specialist Exam: Tips & Guide

Trial License for F5 virtual edition in eve-ng

Migrate HW GTM 2600

Sending LTM\GTM logs to DCD devices

F5 Send email and snmp trap from LTM log event

Related Content

Disable below cipher

Disabling Weak Ciphers

Disabling Specific Weak Cipher Suites

How to disable weak cipher from Client SSL Profile

SSL Profiles Part 4: Cipher Suites