For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

san_239682's avatar
san_239682
Icon for Nimbostratus rankNimbostratus
Apr 26, 2016

Weak SSL cipher vulnerability during website vulnerability test

During a website vulnerability test we have found threat as: RC4 contains several known weaknesses, and cipher suites that use RC4 are considered "weak ciphers".Therefore, the following has been id...
application delivery
LTM
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Apr 26, 2016

The first solution offered by ekaleido is OK, but a bit bulky for recent versions. In BigIP v11.5.1, there's no need for as many custom keywords, in particular SSLv2 and LOW-grade ciphers are already disabled by default.

You can achieve a similar outcome with 'DEFAULT:!RC4:!TLSv1' and then add into the mix this HSTS iRule (or use equivalent LTM Policy). This will be sufficient for grade A+ in regards to SSL security. CBC in combination with TLS1.1 or TLS1.2 or DTLS1 is completely acceptable. Some second-grade security scanners may recommend to disable CBC globally across all TLS versions (that's BS that should be ignored).

 tmm --clientciphers 'DEFAULT:!RC4:!TLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
 1:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
 2:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
 3:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 4:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
 5:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
 6:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
 7:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
 8:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
 9:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
11: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
12: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
13: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
14: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
15: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
16: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
17: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
18: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA