05-Apr-2023 02:16
Hi Experts,
We've been asked to disable the weak ciphers in F5 (12.1.2). Would like to seek help in getting the relevant ciphers disabled.
Currently, it's configured as DEFAULT in SSL profiles. Shall I proceed with this Cipher list DEFAULT:!DHE:!TLSV1_TLSV1_1 ...? Below are the alerts
PROTOCOL CIPHER NAME GROUP KEY-SIZE FORWARD-SECRET CLASSICAL-STRENGTH QUANTUM-STRENGTH
TLSv1 DHE-RSA-AES256-SHA DHE 1024 yes 80 low
TLSv1 DHE-RSA-AES128-SHA DHE 1024 yes 80 low
TLSv1 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low
TLSv1.1 DHE-RSA-AES256-SHA DHE 1024 yes 80 low
TLSv1.1 DHE-RSA-AES128-SHA DHE 1024 yes 80 low
TLSv1.1 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES256-GCM-SHA384 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES128-GCM-SHA256 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES256-SHA256 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES128-SHA256 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES256-SHA DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES128-SHA DHE 1024 yes 80 low
TLSv1.2 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low#
Solved! Go to Solution.
17-Apr-2023 01:05
I'm running v15.1.8 and the following matches.
DEFAULT:!TLSv1:!TLSv1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256
I built it starting from DEFAULT:!TLSv1:!TLSv1_1 and excluding explicitly the suites from your comment that still were in the list. (I noticed there was 3 repetitions; also EDH-RSA-DES-CBC3-SHA did not show up in cipher rule so there was no need to specify it)
05-Apr-2023 05:14
Hello @Sri_Narasimha_11 ,
I've answered a similar question recently, can you check out this post and let me know if it suits you?
https://community.f5.com/t5/technical-forum/ltm-cipher-rule/m-p/308867#M265530
05-Apr-2023 06:25 - edited 05-Apr-2023 23:14
Hi @CA_Valli
Many thanks for helping me out. I've ran this string on F5.
tmm --clientciphers 'DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA'
I've two queries:-
How to exclude (!) this along with protocol TLSV1 and TLSV1_1?
Once done, how to check what are the ciphers/protocols allowed to use for this attached Virtual server?
06-Apr-2023 00:57 - edited 06-Apr-2023 00:59
The list you gave me are all ciphers that need exclusion? Cipher exclusion requires you to put the :! syntax before every single suite that you don't need.
You still need to start from a certains set however, and then exlude ciphers that aren't necessary.
I've seen you're running DEFAULT , so I'll keep that as a starting point. First exclude TLS1 and TLS1.1 with "DEFAULT:!TLS1:!TLS1_1" and run tmm --clientciphers "<string>" to see if there's still some suites that must be removed, it's likely that the weak TLS1.2 suites you mentioned will still be in the list, for example DHE-RSA-AES256-GCM-SHA384
You need to exclude all of the unnecessary suites manually, so string will become "DEFAULT:!TLS1:!TLS1_1:!DHE-RSA-AES256-GCM-SHA384:!<...>:!<...>:!<...>"
When you're done, run again tmm --clientciphers <string> to see the list of the remaining allowed suites.
Cheat sheet: http://smanthey.net/downloads/ssl/ssl-cipher-cs-a4-02.pdf
06-Apr-2023 01:57
Hi @CA_Valli
Thanks for the assistance. Yeah, the mentioned ciphers to be excluded.
When I try to create a new Cipher Rule with the below syntax, I'm getting 'Cipher String is Invalid' error.
DEFAULT:!TLSV1:!TLSV1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA
Am I missing something. Can you please assist?
06-Apr-2023 05:52
Try this?
tmm --clientciphers 'DEFAULT:!TLSv1:!TLSv1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA'
15-Apr-2023 23:25
Hi @CA_Valli
Sorry for the late reply. I've no issues in getting the supported cipher info via CLI (as provided above) but when I try to configure the below ciphers suites (Local Traffic -> Ciphers -> New Cipher Rule), I'm getting 'Cipher String is Invalid' error.
DEFAULT:!TLSv1:!TLSv1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA
Am I missing something? Can you please advise?
17-Apr-2023 01:05
I'm running v15.1.8 and the following matches.
DEFAULT:!TLSv1:!TLSv1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256
I built it starting from DEFAULT:!TLSv1:!TLSv1_1 and excluding explicitly the suites from your comment that still were in the list. (I noticed there was 3 repetitions; also EDH-RSA-DES-CBC3-SHA did not show up in cipher rule so there was no need to specify it)