Forum Discussion
Disable below cipher
- Feb 23, 2022
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128So the hex cipher values are 0xc028 and 0xc027 - in decimal these are 49192 and 49191.
On the BigIP bash command line prompt, we can display all the client cipher names:# tmm --clientciphers 'ALL'
We can then filter using grep
# tmm --clientcipher 'ALL' | grep -e "49192" -e "49191"
2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
63: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSAThis identifies the relevant ciphers and can be used to remove these ciphers using the cipher-string:
e.g.# tmm --clientcipher 'ECDHE:-3DES:-SHA'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA <=== TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA <=== TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256With those ciphers removed:
# tmm --clientcipher 'ECDHE:-3DES:-SHA:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-AES256-SHA384'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSAK53432077: How to test a cipher string
I hope this helps.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128
So the hex cipher values are 0xc028 and 0xc027 - in decimal these are 49192 and 49191.
On the BigIP bash command line prompt, we can display all the client cipher names:
# tmm --clientciphers 'ALL'
We can then filter using grep
# tmm --clientcipher 'ALL' | grep -e "49192" -e "49191"
2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
63: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
This identifies the relevant ciphers and can be used to remove these ciphers using the cipher-string:
e.g.
# tmm --clientcipher 'ECDHE:-3DES:-SHA'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA <=== TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA <=== TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
With those ciphers removed:
# tmm --clientcipher 'ECDHE:-3DES:-SHA:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-AES256-SHA384'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
K53432077: How to test a cipher string
I hope this helps.
- F5ROCKFeb 23, 2022Nimbostratus
Thanks a lot Simon !
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com