Forum Discussion

Nimbostratus

Apr 26, 2016

Weak SSL cipher vulnerability during website vulnerability test

During a website vulnerability test we have found threat as: RC4 contains several known weaknesses, and cipher suites that use RC4 are considered "weak ciphers".Therefore, the following has been id...

application delivery

LTM

Hannes_Rapp

Nimbostratus

Apr 26, 2016

The first solution offered by ekaleido is OK, but a bit bulky for recent versions. In BigIP v11.5.1, there's no need for as many custom keywords, in particular SSLv2 and LOW-grade ciphers are already disabled by default.

You can achieve a similar outcome with 'DEFAULT:!RC4:!TLSv1' and then add into the mix this HSTS iRule (or use equivalent LTM Policy). This will be sufficient for grade A+ in regards to SSL security. CBC in combination with TLS1.1 or TLS1.2 or DTLS1 is completely acceptable. Some second-grade security scanners may recommend to disable CBC globally across all TLS versions (that's BS that should be ignored).

 tmm --clientciphers 'DEFAULT:!RC4:!TLSv1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
 1:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA
 2:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA
 3:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 4:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
 5:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA
 6:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA
 7:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
 8:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA
 9:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
11: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
12: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
13: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
14: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
15: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
16: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
17: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
18: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)