TLS weak Qualys report

MVP

Nov 23, 2022

CLI Example of Creating CIPHERS Rules and then include those CIPHER Rules in CIPGER Groups

CAN be created from CLI and can be applied as and when required, once created the Cipher Group now you can apply those groups in CLIENT SSL profile or Server SSLprofiles:

Here is an example
==========
STEP 1
==========
*************************************************************************************************************
Check LIST command to see the ocntent of CIPHER Rule name TESTBOX1_STANDARD-CIPHER-RULE on /Common partition
**************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE
ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE {
cipher "ECDHE-RSA-AES128-GCM-SHA256;ECDHE-RSA-AES128-SHA256;ECDHE-RSA-AES256-GCM-SHA384;ECDHE-RSA-AES256-SHA384;AES128-GCM-SHA256;AES128-SHA256;AES256-GCM-SHA384;AES256-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256;DHE-RSA-AES256-SHA256;DHE-RSA-AES256-GCM-SHA384;DHE-RSA-AES128-SHA256;DHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES256-SHA384;ECDHE-ECDSA-AES256-GCM-SHA384;ECDHE-ECDSA-AES128-SHA256;TLS13-AES128-GCM-SHA256;TLS13-AES256-GCM-SHA384"
description TESTBOX1_STANDARD-CIPHER-RULE
dh-groups DEFAULT
signature-algorithms DEFAULT
}

==========
STEP 2
==========
*************************************************************************************************************
Check LIST command to see the ocntent of CIPHER GROUP name TESTBOX1_STANDARD-CIPHER-GROUP on /Common partition
*************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP
ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP {
allow {
TESTBOX1_STANDARD-CIPHER-RULE { }
}
description TESTBOX1-STANDARD-CIPHER-GROUP
ordering strength
}

==========
STEP 3
==========
*************************************************************************************************************
Check SHOW command to see the ocntent of CIPHER Rule name TESTBOX1_STANDARD-CIPHER-RULE on /Common partition
**************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE

--------------------
Ltm::Cipher::Rule
--------------------
Name TESTBOX1_STANDARD-CIPHER-RULE
Cipher Suites ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
DH-Groups DEFAULT
Signature Algorithms DEFAULT

==========
STEP 4
==========
*************************************************************************************************************
Check SHOW command to see the ocntent of CIPHER Group name TESTBOX1_STANDARD-CIPHER-GROUP on /Common partition
**************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP

---------------------------
Ltm::Cipher::Group
---------------------------
Name TESTBOX1-STANDARD-CIPHER-GROUP
Cipher Result ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:TLS13-AES256-GCM-SHA384/TLS1.3:ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3
DH-Groups Result P384:P256:X25519
Signature Algorithms Result ECDSA-SHA512:RSA-PSS-SHA512:RSA-PKCS1-SHA512:ECDSA-SHA384:RSA-PSS-SHA384:RSA-PKCS1-SHA384:ECDSA-SHA256:RSA-PSS-SHA256:RSA-PKCS1-SHA256

==========
STEP 4
==========
*************************************************************************************************************
You can use [ load sys config merge from-terminal ] command to insert the CIPHER RULE and CIPHER GROUP from CLI
**************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm cipher rule /Common/TESTBOX1_STANDARD-CIPHER-RULE {
cipher "ECDHE-RSA-AES128-GCM-SHA256;ECDHE-RSA-AES128-SHA256;ECDHE-RSA-AES256-GCM-SHA384;ECDHE-RSA-AES256-SHA384;AES128-GCM-SHA256;AES128-SHA256;AES256-GCM-SHA384;AES256-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256;DHE-RSA-AES256-SHA256;DHE-RSA-AES256-GCM-SHA384;DHE-RSA-AES128-SHA256;DHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES256-SHA384;ECDHE-ECDSA-AES256-GCM-SHA384;ECDHE-ECDSA-AES128-SHA256;TLS13-AES128-GCM-SHA256;TLS13-AES256-GCM-SHA384"
description TESTBOX1_STANDARD-CIPHER-RULE
dh-groups DEFAULT
signature-algorithms DEFAULT
}

ltm cipher group /Common/TESTBOX1-STANDARD-CIPHER-GROUP {
allow {
/Common/TESTBOX1_STANDARD-CIPHER-RULE { }
}
description TESTBOX1-STANDARD-CIPHER-GROUP
ordering strength
}
Loading configuration...

==========
STEP 5
==========
*************************************************************************************************************
You can use [ save sys config partitions all ] to save configuration in all the partitions && verify the
other list and show comands again
**************************************************************************************************************

root@(TESTBOX1-mgt)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# save sys config partitions all
Saving running configuration...
/config/bigip.conf
/config/bigip_base.conf

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE
ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE {
cipher "ECDHE-RSA-AES128-GCM-SHA256;ECDHE-RSA-AES128-SHA256;ECDHE-RSA-AES256-GCM-SHA384;ECDHE-RSA-AES256-SHA384;AES128-GCM-SHA256;AES128-SHA256;AES256-GCM-SHA384;AES256-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256;DHE-RSA-AES256-SHA256;DHE-RSA-AES256-GCM-SHA384;DHE-RSA-AES128-SHA256;DHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES256-SHA384;ECDHE-ECDSA-AES256-GCM-SHA384;ECDHE-ECDSA-AES128-SHA256;TLS13-AES128-GCM-SHA256;TLS13-AES256-GCM-SHA384"
description TESTBOX1_STANDARD-CIPHER-RULE
dh-groups DEFAULT
signature-algorithms DEFAULT
}

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)#

root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP

HTH

Forum Discussion

TLS weak Qualys report

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

dynamic signature detection

DNS HM Probe issue

F5 looses the token for the first call

Related Content

Re: BigIP Report

Disabling Weak Ciphers

Multiple Ways to Configure Usage Reporting in NGINX

Disabling Specific Weak Cipher Suites

F5 NGINX Plus R33 Licensing and Usage Reporting

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS