For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

F5ROCK's avatar
F5ROCK
Icon for Nimbostratus rankNimbostratus
Feb 23, 2022
Solved

Disable below cipher

I tried to disable below cipher (customer requirement): TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 This is the cipher string i am using and still we see above weak...
application delivery
security
  • Simon_Blakely's avatar
    Simon_Blakely
    Feb 23, 2022
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128

    So the hex cipher values are 0xc028 and 0xc027 - in decimal these are 49192 and 49191.
    On the BigIP bash command line prompt, we can display all the client cipher names:

     # tmm --clientciphers 'ALL'

    We can then filter using grep

     # tmm --clientcipher 'ALL' | grep -e "49192" -e "49191" 
     2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 
    63: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA

    This identifies the relevant ciphers and can be used to remove these ciphers using the cipher-string:
    e.g. 

    # tmm --clientcipher 'ECDHE:-3DES:-SHA' 
    ID SUITE BITS PROT METHOD CIPHER MAC KEYX
    0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
    1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA         <=== TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
    2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 
    3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA          <=== TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    With those ciphers removed: 

    # tmm --clientcipher 'ECDHE:-3DES:-SHA:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-AES256-SHA384' 
    ID SUITE BITS PROT METHOD CIPHER MAC KEYX 
    0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 
    1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA

    K53432077: How to test a cipher string  

    I hope this helps.

Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Feb 23, 2022
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128

So the hex cipher values are 0xc028 and 0xc027 - in decimal these are 49192 and 49191.
On the BigIP bash command line prompt, we can display all the client cipher names:

 # tmm --clientciphers 'ALL'

We can then filter using grep

 # tmm --clientcipher 'ALL' | grep -e "49192" -e "49191" 
 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 
63: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA

This identifies the relevant ciphers and can be used to remove these ciphers using the cipher-string:
e.g. 

# tmm --clientcipher 'ECDHE:-3DES:-SHA' 
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA         <=== TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 
3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA          <=== TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

With those ciphers removed: 

# tmm --clientcipher 'ECDHE:-3DES:-SHA:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-AES256-SHA384' 
ID SUITE BITS PROT METHOD CIPHER MAC KEYX 
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 
1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA

K53432077: How to test a cipher string  

I hope this helps.

  • F5ROCK's avatar
    F5ROCK
    Icon for Nimbostratus rankNimbostratus
    Feb 23, 2022

    Thanks a lot Simon !