Forum Discussion

F5ROCK's avatar
F5ROCK
Icon for Nimbostratus rankNimbostratus
Feb 23, 2022
Solved

Disable below cipher

I tried to disable below cipher (customer requirement):

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

This is the cipher string i am using and still we see above weak cipher

ECDHE:RSA:!TLSv1:!TLSv1_1:!3DES:!DTLSv1:!DHE:!RC4:!EXPORT:!DES:!SSLv3:!SHA1:!AES

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128

    So the hex cipher values are 0xc028 and 0xc027 - in decimal these are 49192 and 49191.
    On the BigIP bash command line prompt, we can display all the client cipher names:

     # tmm --clientciphers 'ALL' 

    We can then filter using grep

     # tmm --clientcipher 'ALL' | grep -e "49192" -e "49191" 
     2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
    63: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA

    This identifies the relevant ciphers and can be used to remove these ciphers using the cipher-string:
    e.g.

    # tmm --clientcipher 'ECDHE:-3DES:-SHA' 
    ID SUITE BITS PROT METHOD CIPHER MAC KEYX
    0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
    1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA  <=== TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
    3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA <=== TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    With those ciphers removed:

    # tmm --clientcipher 'ECDHE:-3DES:-SHA:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-AES256-SHA384' 
    ID SUITE BITS PROT METHOD CIPHER MAC KEYX
    0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
    1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA

    K53432077: How to test a cipher string  

    I hope this helps.

2 Replies

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128

    So the hex cipher values are 0xc028 and 0xc027 - in decimal these are 49192 and 49191.
    On the BigIP bash command line prompt, we can display all the client cipher names:

     # tmm --clientciphers 'ALL' 

    We can then filter using grep

     # tmm --clientcipher 'ALL' | grep -e "49192" -e "49191" 
     2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
    63: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA

    This identifies the relevant ciphers and can be used to remove these ciphers using the cipher-string:
    e.g.

    # tmm --clientcipher 'ECDHE:-3DES:-SHA' 
    ID SUITE BITS PROT METHOD CIPHER MAC KEYX
    0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
    1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA  <=== TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
    3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA <=== TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    With those ciphers removed:

    # tmm --clientcipher 'ECDHE:-3DES:-SHA:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-AES256-SHA384' 
    ID SUITE BITS PROT METHOD CIPHER MAC KEYX
    0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
    1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA

    K53432077: How to test a cipher string  

    I hope this helps.