TLS weak Qualys report

Question

Hi guys, Please help to identify the reason why Qualys scan gives this result about TLS protocol.Is there anything to change on the SSL profiles ?Thank you!!

mohamed_ahmed_kansoh · Answer

Hi&nbsp;Karimm&nbsp;,&nbsp;Ok&nbsp;First :&nbsp;&gt; open (local traffic &gt;ciphers and select Rules) ,&nbsp;and Create rule like this :&nbsp;&gt; Then Create Cipher Group&nbsp;&nbsp;:&nbsp;&gt; Then modify your Client ssl profile That attached on your virtual servers ( virtual server that you did the "Qualys " Test on , associate it with created cipher group.&nbsp;clarified here :&nbsp;Note:&nbsp;&gt; This is the used cipher in Rule :&nbsp;DEFAULT:!TLSV1:!TLSV1_1:!AESThis Rule&nbsp;excludes TLSv1 , TLSV1.1, CBC&nbsp;&gt; this is a More Secure Cipher :&nbsp;ALL:!ADH:!LOW:!EXP:!NULL:!RC4:!DES:!3DES:!SHA:!SHA256:!SHA384:!MD5+HIGH:+MEDIUMuse any of them.&nbsp;But Note :&nbsp;maybe some of your Clients have an old devices and still&nbsp;Negotiate with weak ciphers , and this may impact them , but you are securing yourself against attacks and performing what is recommended by Qualys Test by removing all Weak Ciphers.&gt; These ciphers&nbsp;restrict users to negotiate with your Application that published on Virtual server.&gt; if you run your Qualys test again you shouldn’t see the weak ciphers again.&nbsp;Regards&nbsp;

f5_design_engineer · Answer

CLI Example of Creating CIPHERS Rules and then include those CIPHER Rules in CIPGER Groups

CAN be created from CLI and can be applied as and when required, once created the Cipher Group now you can apply those groups in CLIENT SSL profile or Server SSLprofiles:

Here is an example
==========
STEP 1
==========
*************************************************************************************************************
Check LIST command to see the ocntent of CIPHER Rule name TESTBOX1_STANDARD-CIPHER-RULE on /Common partition
**************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE
ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE {
cipher "ECDHE-RSA-AES128-GCM-SHA256;ECDHE-RSA-AES128-SHA256;ECDHE-RSA-AES256-GCM-SHA384;ECDHE-RSA-AES256-SHA384;AES128-GCM-SHA256;AES128-SHA256;AES256-GCM-SHA384;AES256-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256;DHE-RSA-AES256-SHA256;DHE-RSA-AES256-GCM-SHA384;DHE-RSA-AES128-SHA256;DHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES256-SHA384;ECDHE-ECDSA-AES256-GCM-SHA384;ECDHE-ECDSA-AES128-SHA256;TLS13-AES128-GCM-SHA256;TLS13-AES256-GCM-SHA384"
description TESTBOX1_STANDARD-CIPHER-RULE
dh-groups DEFAULT
signature-algorithms DEFAULT
}

==========
STEP 2
==========
*************************************************************************************************************
Check LIST command to see the ocntent of CIPHER GROUP name TESTBOX1_STANDARD-CIPHER-GROUP on /Common partition
*************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP
ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP {
allow {
TESTBOX1_STANDARD-CIPHER-RULE { }
}
description TESTBOX1-STANDARD-CIPHER-GROUP
ordering strength
}

==========
STEP 3
==========
*************************************************************************************************************
Check SHOW command to see the ocntent of CIPHER Rule name TESTBOX1_STANDARD-CIPHER-RULE on /Common partition
**************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE

--------------------
Ltm::Cipher::Rule
--------------------
Name TESTBOX1_STANDARD-CIPHER-RULE
Cipher Suites ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
DH-Groups DEFAULT
Signature Algorithms DEFAULT

==========
STEP 4
==========
*************************************************************************************************************
Check SHOW command to see the ocntent of CIPHER Group name TESTBOX1_STANDARD-CIPHER-GROUP on /Common partition
**************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP

---------------------------
Ltm::Cipher::Group
---------------------------
Name TESTBOX1-STANDARD-CIPHER-GROUP
Cipher Result ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:TLS13-AES256-GCM-SHA384/TLS1.3:ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3
DH-Groups Result P384:P256:X25519
Signature Algorithms Result ECDSA-SHA512:RSA-PSS-SHA512:RSA-PKCS1-SHA512:ECDSA-SHA384:RSA-PSS-SHA384:RSA-PKCS1-SHA384:ECDSA-SHA256:RSA-PSS-SHA256:RSA-PKCS1-SHA256

==========
STEP 4
==========
*************************************************************************************************************
You can use [ load sys config merge from-terminal ] command to insert the CIPHER RULE and CIPHER GROUP from CLI
**************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm cipher rule /Common/TESTBOX1_STANDARD-CIPHER-RULE {
cipher "ECDHE-RSA-AES128-GCM-SHA256;ECDHE-RSA-AES128-SHA256;ECDHE-RSA-AES256-GCM-SHA384;ECDHE-RSA-AES256-SHA384;AES128-GCM-SHA256;AES128-SHA256;AES256-GCM-SHA384;AES256-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256;DHE-RSA-AES256-SHA256;DHE-RSA-AES256-GCM-SHA384;DHE-RSA-AES128-SHA256;DHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES256-SHA384;ECDHE-ECDSA-AES256-GCM-SHA384;ECDHE-ECDSA-AES128-SHA256;TLS13-AES128-GCM-SHA256;TLS13-AES256-GCM-SHA384"
description TESTBOX1_STANDARD-CIPHER-RULE
dh-groups DEFAULT
signature-algorithms DEFAULT
}

ltm cipher group /Common/TESTBOX1-STANDARD-CIPHER-GROUP {
allow {
/Common/TESTBOX1_STANDARD-CIPHER-RULE { }
}
description TESTBOX1-STANDARD-CIPHER-GROUP
ordering strength
}
Loading configuration...

==========
STEP 5
==========
*************************************************************************************************************
You can use [ save sys config partitions all ] to save configuration in all the partitions && verify the
other list and show comands again
**************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# save sys config partitions all
Saving running configuration...
/config/bigip.conf
/config/bigip_base.conf

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE
ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE {
cipher "ECDHE-RSA-AES128-GCM-SHA256;ECDHE-RSA-AES128-SHA256;ECDHE-RSA-AES256-GCM-SHA384;ECDHE-RSA-AES256-SHA384;AES128-GCM-SHA256;AES128-SHA256;AES256-GCM-SHA384;AES256-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256;DHE-RSA-AES256-SHA256;DHE-RSA-AES256-GCM-SHA384;DHE-RSA-AES128-SHA256;DHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES256-SHA384;ECDHE-ECDSA-AES256-GCM-SHA384;ECDHE-ECDSA-AES128-SHA256;TLS13-AES128-GCM-SHA256;TLS13-AES256-GCM-SHA384"
description TESTBOX1_STANDARD-CIPHER-RULE
dh-groups DEFAULT
signature-algorithms DEFAULT
}

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP
ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP {
allow {
TESTBOX1_STANDARD-CIPHER-RULE { }
}
description TESTBOX1-STANDARD-CIPHER-GROUP
ordering strength
}

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE

--------------------
Ltm::Cipher::Rule
--------------------
Name TESTBOX1_STANDARD-CIPHER-RULE
Cipher Suites ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
DH-Groups DEFAULT
Signature Algorithms DEFAULT

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)#

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP

---------------------------
Ltm::Cipher::Group
---------------------------
Name TESTBOX1-STANDARD-CIPHER-GROUP
Cipher Result ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:TLS13-AES256-GCM-SHA384/TLS1.3:ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3
DH-Groups Result P384:P256:X25519
Signature Algorithms Result ECDSA-SHA512:RSA-PSS-SHA512:RSA-PKCS1-SHA512:ECDSA-SHA384:RSA-PSS-SHA384:RSA-PKCS1-SHA384:ECDSA-SHA256:RSA-PSS-SHA256:RSA-PKCS1-SHA256

HTH

mohamed_ahmed_kansoh · Answer

Hi&nbsp;Karimm&nbsp;,&nbsp;- If you run this Scan this server/Application through virtual server hosted by F5 , you need to strengthen your&nbsp; ssl ciphers and remove all weak ciphers.&nbsp;Read this Article :&nbsp;https://support.f5.com/csp/article/K01770517Also Look at this :&nbsp;https://support.f5.com/csp/article/K13171and this as well , to apply your new strong ciphers :&nbsp;https://support.f5.com/csp/article/K10866411- Recently , I have strenthened one of our customer F5 appliances against weak ciphers , and definitly I can share it with you.&nbsp;Regards&nbsp;

karimm · Answer

Hi&nbsp;Altocumulus,&nbsp;Thanks a lot! can you share how you did it with your client?Thank you!

Forum Discussion

TLS weak Qualys report

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Re: BigIP Report

Multiple Ways to Configure Usage Reporting in NGINX

Disabling Weak Ciphers

F5 NGINX Plus R33 Licensing and Usage Reporting

Disabling Specific Weak Cipher Suites

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS