Forum Discussion

fmalik's avatar
fmalik
Icon for Nimbostratus rankNimbostratus
Feb 07, 2023

Weak Ciphers Removal

Hi,

In order to get good grades we have been asked to remove weak ciphers in TLS 1.2 and also add TLS 1.3 in our Production environemnt. But we are affraid if removing weak ciphers make any imapct on application functionality and any compatibility issues with browsers . Please guide how we can get good grades from SSL labs etc also incorporating browsers compaticbilty .

Below is the current status :

 

and what is required :

 

  • hi Fmalik,

    The "required" Ciphers Spec could be rated as most secure with little down level support.

    Slighly more compatible Chiper Specs may still add TLS_ECDHE_RSA_WITH_AES_X_CBC_SHA_X Ciphers for legacy clients, but placed at the very buttom of the Cipher List. The result will be still A+ rating (when combined with HSTS) but with added support for slightly older user-agents.

    Below is a cipher spec I'm using on public sites where SSL-Labs rating and support for down-level clients is a concern. Its gets a straight A+ rating...

    ... and still supports many older user-agents (see below)

    The user-agents which are not supported by this cipher spec are listed below...

    Cheers, Kai

     

     

  • fmalik If you don't have to have this changed immediately your best option here is to log the User-Agent HTTP header and then validate the ciphers that those browsers use by default. The following URL should help you log what SSL ciphers are being used.

    https://support.f5.com/csp/article/K86071030

    In conjunction with the above URL you can add in the following so that you can also log the User-Agent associated to those SSL ciphers.

    User Agent: [HTTP::header user-agent]

     As an example when you add in User-Agent it would look something similar to the following for the logging line.

    log local0. "From IP: [IP::client_addr] - User Agent: [HTTP::header user-agent] - cipher: [SSL::cipher name] - version: [SSL::cipher version]"

    If you aren't interested in the client IP address you can remove those pieces as well and only log what you are interested in. You can also reorganize your SSL ciphers on the F5 that are currently used to strongest order if that isn't the default to have a better idea of what each client decides to use. The issue you will have is that some clients will not be able to use any of the ciphers you switch to for this higher rating and you might be forced to use a weaker set of ciphers to allow those users to continue using the website. You cannot have both the highest rating and support all client browsers and you will have to make a decision on forcing the clients to update/upgrade and cut off their access or configuring the ciphers that all your clients can use and taking the weaker score.

  • reidg's avatar
    reidg
    Icon for Nimbostratus rankNimbostratus

    We are looking to enable TLS 1.3 but that requires a cipher group. The pre-built cipher groups that are provided include what SSL Labs refers to as weak. Is there a way to create a custom cipher group with only the few green ciphers? 

     

  • Have you tried adding a cypher profile to your client ssl profile?
    And tweaked the cypher settings int he ssl client profile?

    It should be as simple as that. - if you need me to add some screenshots let me know.
    I've done the same, for the same reasons on my system.

    • reidg's avatar
      reidg
      Icon for Nimbostratus rankNimbostratus

      I found that I could create a custom cipher rule and then link that to a new cipher group. This worked well and allows up to easily update. 

       

       

  • I have used this for a very strong CIPHERS to mitigate many vulnerabilities, you can customize it according to your need:

     

    [root@TEST-LAB-04:Active:In Sync] ~ # tmm --clientciphers 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA:!3DES:@STRENGHT'

    ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX

    0:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  AES-GCM             SHA384  EDH/RSA

    1:   159  DHE-RSA-AES256-GCM-SHA384        256  DTLS1.2  AES-GCM             SHA384  EDH/RSA

    2:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  AES-GCM             SHA256  EDH/RSA

    3:   158  DHE-RSA-AES128-GCM-SHA256        128  DTLS1.2  AES-GCM             SHA256  EDH/RSA

    4: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  AES-GCM             SHA384  ECDHE_RSA

    5: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  DTLS1.2  AES-GCM             SHA384  ECDHE_RSA

    6: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  AES-GCM             SHA256  ECDHE_RSA

    7: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  DTLS1.2  AES-GCM             SHA256  ECDHE_RSA

    8:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  AES                 SHA256  EDH/RSA

    9:   107  DHE-RSA-AES256-SHA256            256  DTLS1.2  AES                 SHA256  EDH/RSA

    10:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  AES                 SHA256  EDH/RSA

    11:   103  DHE-RSA-AES128-SHA256            128  DTLS1.2  AES                 SHA256  EDH/RSA

    12: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  AES                 SHA384  ECDHE_RSA

    13: 49192  ECDHE-RSA-AES256-SHA384          256  DTLS1.2  AES                 SHA384  ECDHE_RSA

    14: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  AES                 SHA256  ECDHE_RSA

    15: 49191  ECDHE-RSA-AES128-SHA256          128  DTLS1.2  AES                 SHA256  ECDHE_RSA

    HTH

    🙏