Forum Discussion

aquispe17_31055's avatar
aquispe17_31055
Icon for Nimbostratus rankNimbostratus
May 21, 2018
Solved

SSL Ciphers (SSLLabs) Warning

Hi everyoe, I ran a test SSL over an web application and received various warnings about weak cipher. How can i close this ciphers protocols?

 

TLS1.2:

 

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 1024 bits FS WEAK TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK

 

TLS 1.1

 

TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 1024 bits FS WEAK TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK

 

BIG-IP
LTM
security
  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    May 22, 2018

    Disable below cipher in-order to eliminate weak cipher list. I have tested in LAB and all weak cipher gone. Suggest you to test in LAB environment and share feedback. Most important thing, don't play with default client-ssl profile.

    Disable below ciphers to eliminate weak TLS cipher.

    TLS1.2

        AES256-GCM-SHA384
    AES256-SHA256
    AES256-SHA
    DHE-RSA-CAMELLIA256-SHA
    CAMELLIA256-SHA

    TLS 1.1

        AES256-SHA
    DHE-RSA-CAMELLIA256-SHA
    CAMELLIA256-SHA

    Share your feedback.

5 Replies

Sort By
  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    May 22, 2018

    Disable below cipher in-order to eliminate weak cipher list. I have tested in LAB and all weak cipher gone. Suggest you to test in LAB environment and share feedback. Most important thing, don't play with default client-ssl profile.

    Disable below ciphers to eliminate weak TLS cipher.

    TLS1.2

        AES256-GCM-SHA384
    AES256-SHA256
    AES256-SHA
    DHE-RSA-CAMELLIA256-SHA
    CAMELLIA256-SHA

    TLS 1.1

        AES256-SHA
    DHE-RSA-CAMELLIA256-SHA
    CAMELLIA256-SHA

    Share your feedback.

    • Samir_Jha_52506's avatar
      Samir_Jha_52506
      Icon for Noctilucent rankNoctilucent
      May 22, 2018

      !
      use in beginning to disable cipher. See the below example

      example 

       DEFAULT:!AES256-SHA:!DHE-RSA-CAMELLIA256-SHA:!CAMELLIA256-SHA
    • Snl's avatar
      Snl
      Icon for Cirrostratus rankCirrostratus
      May 22, 2018

      sample is below

       

      !SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4