Forum Discussion

Andrew-F5's avatar
Andrew-F5
Icon for Employee rankEmployee
Jul 03, 2019

Your configuration might be dependent on your current client/server cipher configuration and software version so I'll speak more in general about the changes that need to be made, see the linked articles for more specific details. It's worth noting that none of our 'DEFAULT' cipher strings on v11.x - v14.x allow ADH. Also, if you are not terminating SSL at the F5 then this would not be an issue at your F5.

 

See the openssl link below and search for 'Anonymous' to see what ciphers allow anonymous.

 

I would recommend first navigating to your SSL profile applied to your virtual server then grab the cipher string listed then connect to your F5 via SSH and use the cipher test command below to see what your current ciphers are.

 

Does your report list specific ciphers it found?

 

ADH is a common one and can be removed by appending ':!ADH' to your current cipher string.

 

== Test Ciphers ==

# tmm --clientciphers 'DEFAULT:!ADH'

 

K13171: Configuring the cipher strength for SSL profiles (11.x)

K17370: Configuring the cipher strength for SSL profiles (12.x - 13.x)

K01770517: Configuring the cipher strength for SSL profiles (14.x)

https://www.openssl.org/docs/manmaster/man1/ciphers.html

K13156: SSL ciphers used in the default SSL profiles (11.x - 13.x)

K54125331: SSL ciphers used in the default SSL profiles (14.x)

 

  • wazir's avatar
    wazir
    Icon for Altostratus rankAltostratus
    Jul 08, 2019

    Output of the command : openssl ciphers -v 'ADH:@STRENGTH'

     

     

    DH-AES256-GCM-SHA384  TLSv1.2 Kx=DH    Au=None Enc=AESGCM(256) Mac=AEAD

    ADH-AES256-SHA256    TLSv1.2 Kx=DH    Au=None Enc=AES(256) Mac=SHA256

    ADH-AES256-SHA     SSLv3 Kx=DH    Au=None Enc=AES(256) Mac=SHA1

    ADH-CAMELLIA256-SHA   SSLv3 Kx=DH    Au=None Enc=Camellia(256) Mac=SHA1

    ADH-AES128-GCM-SHA256  TLSv1.2 Kx=DH    Au=None Enc=AESGCM(128) Mac=AEAD

    ADH-AES128-SHA256    TLSv1.2 Kx=DH    Au=None Enc=AES(128) Mac=SHA256

    ADH-AES128-SHA     SSLv3 Kx=DH    Au=None Enc=AES(128) Mac=SHA1

    ADH-SEED-SHA      SSLv3 Kx=DH    Au=None Enc=SEED(128) Mac=SHA1

    ADH-CAMELLIA128-SHA   SSLv3 Kx=DH    Au=None Enc=Camellia(128) Mac=SHA1

    ADH-DES-CBC3-SHA    SSLv3 Kx=DH    Au=None Enc=3DES(168) Mac=SHA1

    ADH-RC4-MD5       SSLv3 Kx=DH    Au=None Enc=RC4(128) Mac=MD5

     

     

    ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES 256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA

     

     its load balancer and not any backend servers , its a test LB so its not used for anything except testing configs

     

    1 .) Do i need to add anonymous cypher disable code on the above line Haproxy server on the path:/etc/haproxy/haproxy.cfg ?

     

    2 .) Do i need to add (DEFAULT:!ADH' ) on the above ssl-default-bind-ciphers ?

     

     

     

    • Andrew-F5's avatar
      Andrew-F5
      Icon for Employee rankEmployee
      Jul 08, 2019

      I realized you noted HAproxy which is typically leveraged by NGINX but my entire reply above was in regards to the F5 LTM Client SSL profile.

       

      Admittedly I'm not super familiar with HAproxy but I'll try to some research and circle back here some time.

       

      I assume this is some pen testing tool giving you the result you noted? If so, does it specify what port/protocol/service it's connecting to?

       

      Given the ssl-default-bind-ciphers I would be surprised if that were it as there does not appear to be an anonymous ciphers.