Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Disable 3DES for Admin HTTPS access

b_sean_377285
Nimbostratus
Nimbostratus

‎09-Apr-2019 20:14

Hi,

 

I need to disable 3DES as a part of SWEET32 vulnerability. I have gone through few articles and they mention modifying the SSL client profile and commenting out 3DES. My question is -

 

  1. What client profile is used for admin access?
  2. Or do I need to modify httpd ssl-ciphersuite to have this fixed.

Thanks, Sean

 

Labels:
0 Kudos
5 REPLIES 5

Lee_Sutcliffe
Nacreous
Nacreous

‎10-Apr-2019 00:18 - last edited on ‎05-Jun-2023 11:20 by Fog

Have you seen these articles?

https://support.f5.com/csp/article/K13405 https://support.f5.com/csp/article/K17491 https://support.f5.com/csp/article/K31320003

For the management console you need to modify the httpd cipher suite

list sys httpd ssl-ciphersuite
will show the current cipher suites for the management console

0 Kudos

youssef1
Cumulonimbus
Cumulonimbus

‎10-Apr-2019 00:22 - last edited on ‎05-Jun-2023 11:20 by Fog

Hi,

You don't use a client ssl for admin access. you have to use tmsh in order to disable ciphers on admin access.

First of if you want to check cipher used, enter this command:

list sys httpd ssl-ciphersuite

sys httpd {
    ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA
    }

So if you want to disable 3DES you can just add 

:!DES:!DES
at the end of the line.

So to modify SSL-Ciphersuite follow this procedure:

tmsh modify sys httpd ssl-ciphersuite 'ECDHE-RSA-AES128-GCM-SHA256:....:!DES:!DES'
tmsh save sys config
bigstart restart httpd

Keep me in touch.

regards

0 Kudos

lixiaodong
Nimbostratus
Nimbostratus

‎18-Jun-2020 19:08

hello, I try this but not solut problem​

0 Kudos

Nic_Foxton
Nimbostratus
Nimbostratus

‎20-Jan-2021 04:05

I've just had a scan report for this on my F5's.

So this will modify the cipher suite for admin only?

For vServers i need to maintain the multi-suite available due to some application owners not updating their apps for years and actually can't upgrade some. We're proxying between suites for some services (false security imho but i do what i'm told)

0 Kudos

Nic_Foxton
Nimbostratus
Nimbostratus
In response to Nic_Foxton

‎02-Feb-2021 06:38

All sorted thankyou for this info

0 Kudos
Copyright © 2023 Khoros, LLC