Forum Discussion

Bciesz_171056's avatar
Bciesz_171056
Icon for Cirrus rankCirrus
Feb 02, 2018

SSL Cipher tweaking

Hi,

 

To be honest i do not completely understand how the cipher string is constructed, but I normally use this one, that used to give me grade A on ssllabs: !LOW:!SSLv2:!SSLv3:!MD5:!RC4+SHA:!EXPORT:!DHE:ECDHE+AES:AES+SHA+RSA:@STRENGTH

 

grade on ssllabs is quite important for me - not only I treat it as a good benchmark, but my client is freaking out when he sees anything else that juicy green.

 

Today, I've noticed two things, that worried me a bit. One - my VSses are vulnerable to ROBOT (https://robotattack.org/) Two - This server does not support Authenticated encryption (AEAD) cipher suites

 

I kinda work around number one, by adding "!RSA:" at the beginning of my cipher string (which I guess is not the most elegant solution...). Not sure what to do with the other.

 

Any suggestions how should I construct my cipher, or perhaps utilize other solution to mitigate ROBOT (upgrade is out of the question, at least for now, so I guess getting rid of RSA key exchange needs to do the trick) and support AEAD?

 

EDIT: I'm using 12.0

 

application delivery
cipher
LTM
robot
ssl
  • crengifo_232216's avatar
    crengifo_232216
    Icon for Nimbostratus rankNimbostratus
    Feb 02, 2018

    If upgrading is not an option, I think you should change the cipher on your client profile. You could use this one:

     

    'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'

     

    Keep in mind, assuming that your are using SSL offloading on the LB, ssllabs checks the connection to the load balancer (not to the real server.) So, if the server doesn't support AEAD, you can relax the ciphers on the server profile.