Vulnerability SSL Medium Strength Cipher Suites Supported

Question

From the PCI audit I get the following: Vulnerability SSL Medium Strength Cipher Suites Supported

Currently the following is configured:

list sys httpd

sys httpd {

auth-pam-idle-timeout 2400

ssl-ciphersuite HIGH:!ADH

ssl-protocol TLSv1.2

Would it be correct to change this to

modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'

or do I need other settings ?

youssef1 · Answer

Hi,&nbsp;I suppose it's for mgmt service:&nbsp;you have many example here:&nbsp;https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html&nbsp;How to create an SSL server that only accepts strong encryption?&nbsp;SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256&nbsp;How to create a server that accepts many types of encryption in general, but requires strong encryption to access a particular URL?&nbsp;SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256&nbsp;you can also refine as you go...&nbsp;You confirm that it's for the management interface?&nbsp;regards

s_meulmeester · Answer

​Hi, I confirm it is the management interface&nbsp; so would the following configuration solve the problem of Medium Strength Cipher Suites " modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'&nbsp; OR modify /sys httpd ssl-ciphersuite HIGH OR .... something else.I want the highest (strongest&nbsp; ciphersuite/level of security.

youssef1 · Answer

Hi,&nbsp;There is a solution, get rid of all the low and medium level ciphers from apache conf file. Try this first, it can fix your problem:&nbsp;TLSv1.2+HIGH:!aNULL:!eNULL &nbsp;Keep me in touch.&nbsp;&nbsp;

s_meulmeester · Answer

​Hi,TLSv1.2+HIGH:!aNULL:!eNULL&nbsp; didn't help, I know configured&nbsp; modify /sys httpd ssl-ciphersuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256"&nbsp;

Forum Discussion

Vulnerability SSL Medium Strength Cipher Suites Supported

Recent Discussions

Http / https health monitor issue

F5-SDK Get GTM Pool Server, Virtual Server, Unused Objects, and JSON Conversion for Data Processing

F5 DNS Generic Host

How do I create a traffic log for two different route domains?

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

Mitigating Apache Camel Vulnerability CVE-2025–27636 with F5 Products

Support and Help for DevCentral and Offline Contact

Phishing, Malware and Spyware Campaign, BRUTED Tool & CISA’s List Of Exploited Vulnerabilities

Windows Critical RCE Vulnerability, Malicious Solana-py, and EDRKillShifter

Coordinated Vulnerability Disclosure: A Balanced Approach

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS