Selecting non-CBC ciphers

Question

Qualys downgraded CBC and so we are dealing with reports that these ciphers are weak. Like:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) WEAK

So, all our app owners are asking how to avoid them. I found this, since the scanners prefer GCM, but it is perhaps too limiting:

# tmm --clientciphers ECDHE+AES-GCM

ID SUITE BITS PROT METHOD CIPHER MAC KEYX

0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA

1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA

After all, there are still a lot of OLD clients out there. How is everyone dealing with this change?

hamish · Answer

You make a concious decision. &nbsp;Do you wish to (insecurely) 'support' old insecure clients? Or do you wish to be secure?&nbsp;Seriously. This is an age old one that goes back to the early days of IE with 56-bit encryption. Then we inserted a redirect for anyone with bad encryption to a page saying update your browser. I'd probably recommend the same today.

Forum Discussion

Selecting non-CBC ciphers

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

irule to enable http/2 acceleration

VS FORWARDING & ROUTE

Statistics ›› Analytics : HTTP : Overview

SNI Sites not taking correct certificate.

Related Content

Cipher Suite Practices and Pitfalls

Cipher Strength Pool Selection

LTM Cipher rule

Disabling Weak Ciphers

Disable below cipher

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS