Forum Discussion
SSL Cipher tweaking
Hi,
To be honest i do not completely understand how the cipher string is constructed, but I normally use this one, that used to give me grade A on ssllabs: !LOW:!SSLv2:!SSLv3:!MD5:!RC4+SHA:!EXPORT:!DHE:ECDHE+AES:AES+SHA+RSA:@STRENGTH
grade on ssllabs is quite important for me - not only I treat it as a good benchmark, but my client is freaking out when he sees anything else that juicy green.
Today, I've noticed two things, that worried me a bit. One - my VSses are vulnerable to ROBOT (https://robotattack.org/) Two - This server does not support Authenticated encryption (AEAD) cipher suites
I kinda work around number one, by adding "!RSA:" at the beginning of my cipher string (which I guess is not the most elegant solution...). Not sure what to do with the other.
Any suggestions how should I construct my cipher, or perhaps utilize other solution to mitigate ROBOT (upgrade is out of the question, at least for now, so I guess getting rid of RSA key exchange needs to do the trick) and support AEAD?
EDIT: I'm using 12.0
- crengifo_232216Nimbostratus
If upgrading is not an option, I think you should change the cipher on your client profile. You could use this one:
'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'
Keep in mind, assuming that your are using SSL offloading on the LB, ssllabs checks the connection to the load balancer (not to the real server.) So, if the server doesn't support AEAD, you can relax the ciphers on the server profile.
- Daniel_VarelaEmployee
Hi, Have a look to the OWASP recommendations: https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet (at the bottom of the page you have the cipher strings, you may need to tweak them a bit). I use to implement this and enforce advanced plus whenever I can (all modern browsers should support it)
- BB16Nimbostratus
check with this as suggested by official https://support.f5.com/csp/article/K21905460
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com