Cipher Suite Practices and Pitfalls

Cipher Suite Practices and Pitfalls It seems like every time you turn around there is a new vulnerability to deal with, and some of them, such as Sweet32, have required altering cipher configurati...
Updated Jun 06, 2023
Version 3.0
BIG-IP
dcsecurity17
f5 sirt
security
TMOS
MegaZone's avatar
MegaZone
Icon for SIRT rankSIRT
May 06, 2019

BIG-IP does not currently support DHE beyond 1024-bit. The short version of the reason why is that there was no way for the client and server to negotiate the key size, and if the two ends used a different size it doesn't work. An extension to TLS, FFDHE, was proposed to allow for negotiation of DHE key sizes, and this was incorporated into TLSv1.3. FFDHE isn't in our initial implementation of TLSv1.3, but it is on the roadmap (I'm not sure of when we can expect it yet). I'm pushing to support it on earlier versions of TLS as well, for any client that does. (The initial standalone proposal was as an extension to TLS in general, not specific to 1.3.)

 

As for CBC ciphers - there isn't a fundamental weakness in CBC itself. The problem is that CBC ciphers, as a group, are more susceptible to implementation issues which lead to things like oracle vulnerabilities. Basically it is easier to get something wrong and create a vulnerability when implementing CBC. Because of the recurring issues with CBC implementations suffering from padding attacks, timing attacks, etc., the use of CBC has been discouraged - and CBC is removed completely from TLSv1.3. But, again, the vulnerabilities are in the implementations, not the cipher itself. It is possible to have an AES-CBC implementation with no known weaknesses, just as you can with AES-GCM - but in the real world there are more ways to get it wrong with CBC.

 

As for SSLLabs, I'd have to know what exactly it is flagging you for. You could be running a version of TMOS which is actually vulnerable - we have had our share of issues as have most vendors. If it is giving you a CVE or attack name that you're vulnerable to, check AskF5 for a Security Advisory on it. There have also been cases of false positives in the past, and that's always a possibility. Sometimes it is an ordering thing - having PFS+non-CBC ciphers first but still allowing CBC ciphers as an option for older clients may improve the score.

 

Also, make sure you don't have any 3DES ciphers enabled - those will get dinged for strength (Medium at best).