cancel
Showing results for 
Search instead for 
Did you mean: 

Disable below cipher

F5ROCK
Nimbostratus
Nimbostratus

I tried to disable below cipher (customer requirement):

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

This is the cipher string i am using and still we see above weak cipher

ECDHE:RSA:!TLSv1:!TLSv1_1:!3DES:!DTLSv1:!DHE:!RC4:!EXPORT:!DES:!SSLv3:!SHA1:!AES

1 ACCEPTED SOLUTION

Simon_Blakely
F5 Employee
F5 Employee
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128

So the hex cipher values are 0xc028 and 0xc027 - in decimal these are 49192 and 49191.
On the BigIP bash command line prompt, we can display all the client cipher names:

 # tmm --clientciphers 'ALL' 

We can then filter using grep

 # tmm --clientcipher 'ALL' | grep -e "49192" -e "49191" 
 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
63: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA

This identifies the relevant ciphers and can be used to remove these ciphers using the cipher-string:
e.g.

# tmm --clientcipher 'ECDHE:-3DES:-SHA' 
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA  <=== TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA <=== TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

With those ciphers removed:

# tmm --clientcipher 'ECDHE:-3DES:-SHA:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-AES256-SHA384' 
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA

K53432077: How to test a cipher string  

I hope this helps.

View solution in original post

2 REPLIES 2

Simon_Blakely
F5 Employee
F5 Employee
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128

So the hex cipher values are 0xc028 and 0xc027 - in decimal these are 49192 and 49191.
On the BigIP bash command line prompt, we can display all the client cipher names:

 # tmm --clientciphers 'ALL' 

We can then filter using grep

 # tmm --clientcipher 'ALL' | grep -e "49192" -e "49191" 
 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
63: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA

This identifies the relevant ciphers and can be used to remove these ciphers using the cipher-string:
e.g.

# tmm --clientcipher 'ECDHE:-3DES:-SHA' 
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA  <=== TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA <=== TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

With those ciphers removed:

# tmm --clientcipher 'ECDHE:-3DES:-SHA:-ECDHE-RSA-AES128-SHA256:-ECDHE-RSA-AES256-SHA384' 
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA

K53432077: How to test a cipher string  

I hope this helps.

Thanks a lot Simon !