Weak Ciphers Supported

Question

Hello, BIG IP F5 LTM 12.1.2, Hotfix-BIGIP-12.1.2.2.0.276-HF2&nbsp;
I have one ssl client profile with the following cipher:DEFAULT:!3DES:!DHE!TLSv1:!TLSv1_1&nbsp;
When I perform an SSL scan of the associated domain, it shows as vulnerable: &nbsp;
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (DH 1024 bit, WEAK DH Group Size)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (DH 1024 bit, WEAK DH Group Size)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (DH 1024 bit, WEAK DH Group Size)&nbsp;
On the same SSL profile, I also configure this chain:
!EXPORT:!3DES:!DHE:!DH:!MD5:!SSLV3:!DTLv1:!ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:!TLSv1_1:tlsV1_2&nbsp;
I have the same problem
¿Could you help me to fix it?&nbsp;
TLS_DHE_RSA_WITH_AES_128_CBC_SHA&nbsp;

surgeon · Answer

This is because you DH 1024 bit. big-ip does not support dhe 2048 due to some technical aspects of such type of ciphers. You can disable DHE and use ECDHE instead.

Are you sure you are connecting to big-ip directly? There is not RSA-DHE cipher listed on version 12.1.2 with cipher string you used.
tmm --clientciphers 'DEFAULT:!DHE:!TLSv1:!TLSv1_1:!3DES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
 1:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
 2:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
 3:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
 4:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
 5:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
 6:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
 7:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
 8: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 9: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
10: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
11: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
12: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
13: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA

Forum Discussion

Weak Ciphers Supported

1 Reply

F5 Academies Are Back – And We’re Coming to a City Near You

Introducing the F5 Application Study Tool (AST)

Recent Discussions

About F5 idle timeout and keep-alive

Problem with sending BotDefense logs to remote server

OSPF traps on BIG-IP v14

[APM] - How to clear the cached certificate for specific url

Fireeye AX integration with F5 via API.

Related Content

Disabling Weak Ciphers

Disabling Specific Weak Cipher Suites

Cipher Suites Supported (12.1.5.3)

Copilot’s Weakness, DeepSeek Data exposed, Backdoor in Contec CMS8000 & Apple's Zero-Day

How to disable weak cipher from Client SSL Profile

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS