For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rose's avatar
Rose
Icon for Altostratus rankAltostratus
Jun 03, 2020

What Cipher to be used incase of POODLE/BEAST/SWEET32

Am working on Big IP 11.5.x Version , where am asked to fix the vulnerabilities on many of the below attacks.

 

TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)

TLS/SSL Server Does Not Support Any Strong Cipher Algorithms

TLS/SSL Server is enabling the BEAST attack  

TLS/SSL Server is enabling the POODLE attack

TLS/SSL Server Supports 3DES Cipher Suite

TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)  

TLS/SSL Server Supports SSLv3

TLS/SSL Server Supports The Use of Static Key Ciphers  

Untrusted TLS/SSL server X.509 certificate

 

Here's what I am currently using - !RC4:!3DES:!RSA+AES:!SSLv2:!SSLv3:!TLSv1_1:ECDHE+AES-GCM 

 

However, this isn't stopping the above attacks. Could somebody tell what cipher suit could be used ?

BIG-IP
devops
LTM
Super-NetOps

1 Reply

  • Samir's avatar
    Samir
    Icon for MVP rankMVP
    Jun 07, 2020

    Upgrade the load balancer to mitigate major attack types.

    All the questions can be solved except "Untrusted TLS/SSL server X.509 certificate".

    Below ciphers will help to achieve good SSL Rating in your version.

    !SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:-MD5:-SSLv3:-RC4:!3DES

    Try and let us know.