Forum Discussion
Weak Cipher Disabling
Hi Team,
I am trying to Disable Weak Cipher still getting following result.
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export) offered (NOT ok)
Triple DES Ciphers / IDEA not offered (OK)
Average: SEED + 128+256 Bit CBC ciphers offered
Strong encryption (AEAD ciphers) offered (OK)
I have used following Ciphers list.
TLSV1_2:!DES:!3DES:!ADH:!EXPORT
What I need to add more to block LOW: 64 Bit + DES, RC[2,4] (w/o export)
- Hussain_TutaNimbostratus
Hi,
you can try the below
DEFAULT:!TLSv1:!RSA:!TLSv1_1:!3DES:!AES:!CAMELLIA:!DHE:@STRENGTH
F5 is already disabled all ssl n tls1.0 n tls1.1 ciphers in v14.x.
I don't thing any difference in keeping DEFAULT in begining.
You can check in bash mode
tmm --clientciphers 'DEFAULT:TLSV1_2:!DES:!3DES:!ADH:!EXPORT'
vs
tmm --clientciphers 'TLSV1_2:!DES:!3DES:!ADH:!EXPORT'
- Angelo_VCirrus
Hi,
what is the release of BIG-IP?
Angelo
- Jawad_MukhtarAltostratus
BIP-IP release is 14.0.0.2
- Angelo_VCirrus
Hussian's answer should be correct.
- Jawad_MukhtarAltostratus
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export) offered (NOT ok)
Triple DES Ciphers / IDEA not offered (OK)
Average: SEED + 128+256 Bit CBC ciphers offered
Strong encryption (AEAD ciphers) offered (O
Earlier it was giving weak cipher for Anonmymous, low and Tipple DES.
I entered below:
TLSV1_2:!DES:!3DES:!ADH:!EXPORT
After this they rechecked and they are just getting 1 again
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4] (w/o export) offered (NOT ok)
Triple DES Ciphers / IDEA not offered (OK)
Average: SEED + 128+256 Bit CBC ciphers offered
Strong encryption (AEAD ciphers) offered (OK)
What value I need to Add more to above ciphers.
Second what we just have only to enable TLSV1.2 only what I did in above ciphers.
You can try something like this.
DEFAULT:ECDHE:!RSA:!DHE:!3DES
LEt us know the results.
- Jawad_MukhtarAltostratus
What is purpose of using DEFAULT in start is it must of use I have TLSv1.2 turned on that is required
- Jawad_MukhtarAltostratus
What is purpose of using DEFAULT in start is it must of used as I have to enable TLSv1.2 turned on
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com