Weak Cipher Disabling

Hi,

you can try the below

DEFAULT:!TLSv1:!RSA:!TLSv1_1:!3DES:!AES:!CAMELLIA:!DHE:@STRENGTH

F5 is already disabled all ssl n tls1.0 n tls1.1 ciphers in v14.x.

​​

I don't thing any difference in keeping DEFAULT in begining.

​

You can check in bash mode

​

tmm --clientciphers 'DEFAULT:TLSV1_2:!DES:!3DES:!ADH:!EXPORT'

​

​vs

tmm --clientciphers 'TLSV1_2:!DES:!3DES:!ADH:!EXPORT'

​

​

Hi,

what is the release of BIG-IP?

Angelo

BIP-IP release is 14.0.0.2

NULL ciphers (no encryption)                 not offered (OK)

Anonymous NULL Ciphers (no authentication)   not offered (OK)

Export ciphers (w/o ADH+NULL)                not offered (OK)

LOW: 64 Bit + DES, RC[2,4] (w/o export)      offered (NOT ok)

Triple DES Ciphers / IDEA                    not offered (OK)

Average: SEED + 128+256 Bit CBC ciphers      offered

Strong encryption (AEAD ciphers)             offered (O

Earlier it was giving weak cipher for Anonmymous, low and Tipple DES.

I entered below:

TLSV1_2:!DES:!3DES:!ADH:!EXPORT

After this they rechecked and they are just getting 1 again

NULL ciphers (no encryption)                 not offered (OK)

Anonymous NULL Ciphers (no authentication)   not offered (OK)

Export ciphers (w/o ADH+NULL)                not offered (OK)

LOW: 64 Bit + DES, RC[2,4] (w/o export)      offered (NOT ok)

Triple DES Ciphers / IDEA                    not offered (OK)

Average: SEED + 128+256 Bit CBC ciphers      offered

Strong encryption (AEAD ciphers)             offered (OK)

What value I need to Add more to above ciphers.

Second what we just have only to enable TLSV1.2 only what I did in above ciphers.

You can try something like this.

​

​DEFAULT:ECDHE:!RSA:!DHE:!3DES

​

LEt us know the results.

What is purpose of using DEFAULT in start is it must of use I have TLSv1.2 turned on that is required ​

What is purpose of using DEFAULT in start is it must of used as I have to enable TLSv1.2 turned on