For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
Jun 20, 2016

Weak Ciphers

Hi,   We have applied verisign wildcard certificate for all our application as a client side certificate. We get B SSL ratings for our applications because of ciphers negotiated -   This server...
application delivery
BIG-IP
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Jun 20, 2016

Assuming you want to keep everything as-is, and just take out DH:

(apply the custom cipher to your client-ssl profile)

DEFAULT:!DH

You can also see the full list of cipher suites that will still be enabled after your change.

(execute in BigIP BASH shell)

tmm --clientciphers 'DEFAULT:!DH'

More ways to configure your custom client-ssl cipher string, refer to https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
Jun 20, 2016
Hi Thanks for the quick reply. I applied below !DH:ECDHE:DHE:DHE_DSS:!LOW:!MEDIUM:@STRENGTH i am still failing in below - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK