SSL Encryption Level

The Redirection on Weak Encryption Codeshare example handles this scenario more gracefully than disabling the low ciphers on the client SSL profile. The former gives you a chance to redirect the client to a page which explains why they're not able to access the application and a way to fix the problem. The latter should result in a TCP FIN or RST which the client would probably assume is a problem with the application.

The iRule will result in vulnerability scanners detecting LTM supports weak ciphers. However, this is a false positive as LTM won't allow such clients to access the application.

To view the ciphers included in a cipher string you can use tmm --clientciphers:

 tmm --clientciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:   4 RC4-MD5                         128  SSL3  Native RC4    MD5    RSA
 1:   4 RC4-MD5                         128  TLS1  Native RC4    MD5    RSA
 2:   5 RC4-SHA                         128  SSL3  Native RC4    SHA    RSA
 3:   5 RC4-SHA                         128  TLS1  Native RC4    SHA    RSA
 4:  47 AES128-SHA                      128  SSL3  Native AES    SHA    RSA
 5:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
 6:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA
 7:  53 AES256-SHA                      256  SSL3  Native AES    SHA    RSA
 8:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
 9:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
10:  10 DES-CBC3-SHA                    192  SSL3  Native DES    SHA    RSA
11:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
12:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA

Aaron