Disabling Weak Ciphers

Sri_Narasimha_11 · ‎05-Apr-2023

Hi Experts,

We've been asked to disable the weak ciphers in F5 (12.1.2). Would like to seek help in getting the relevant ciphers disabled.

Currently, it's configured as DEFAULT in SSL profiles. Shall I proceed with this Cipher list DEFAULT:!DHE:!TLSV1_TLSV1_1 ...? Below are the alerts

PROTOCOL CIPHER NAME GROUP KEY-SIZE FORWARD-SECRET CLASSICAL-STRENGTH QUANTUM-STRENGTH
TLSv1 DHE-RSA-AES256-SHA DHE 1024 yes 80 low
TLSv1 DHE-RSA-AES128-SHA DHE 1024 yes 80 low
TLSv1 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low
TLSv1.1 DHE-RSA-AES256-SHA DHE 1024 yes 80 low
TLSv1.1 DHE-RSA-AES128-SHA DHE 1024 yes 80 low
TLSv1.1 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES256-GCM-SHA384 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES128-GCM-SHA256 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES256-SHA256 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES128-SHA256 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES256-SHA DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES128-SHA DHE 1024 yes 80 low
TLSv1.2 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low#

CA_Valli · ‎17-Apr-2023

I'm running v15.1.8 and the following matches.

DEFAULT:!TLSv1:!TLSv1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256

I built it starting from DEFAULT:!TLSv1:!TLSv1_1 and excluding explicitly the suites from your comment that still were in the list. (I noticed there was 3 repetitions; also EDH-RSA-DES-CBC3-SHA did not show up in cipher rule so there was no need to specify it)

View solution in original post

CA_Valli · ‎05-Apr-2023

Hello @Sri_Narasimha_11 ,
I've answered a similar question recently, can you check out this post and let me know if it suits you?

https://community.f5.com/t5/technical-forum/ltm-cipher-rule/m-p/308867#M265530

Sri_Narasimha_11 · ‎05-Apr-2023

Hi @CA_Valli

Many thanks for helping me out. I've ran this string on F5.

tmm --clientciphers 'DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA'

I've two queries:-

How to exclude (!) this along with protocol TLSV1 and TLSV1_1?

Once done, how to check what are the ciphers/protocols allowed to use for this attached Virtual server?

CA_Valli · ‎06-Apr-2023

The list you gave me are all ciphers that need exclusion? Cipher exclusion requires you to put the :! syntax before every single suite that you don't need.

You still need to start from a certains set however, and then exlude ciphers that aren't necessary.

I've seen you're running DEFAULT , so I'll keep that as a starting point. First exclude TLS1 and TLS1.1 with "DEFAULT:!TLS1:!TLS1_1" and run tmm --clientciphers "<string>" to see if there's still some suites that must be removed, it's likely that the weak TLS1.2 suites you mentioned will still be in the list, for example DHE-RSA-AES256-GCM-SHA384

You need to exclude all of the unnecessary suites manually, so string will become "DEFAULT:!TLS1:!TLS1_1:!DHE-RSA-AES256-GCM-SHA384:!<...>:!<...>:!<...>"

When you're done, run again tmm --clientciphers <string> to see the list of the remaining allowed suites.

Cheat sheet: http://smanthey.net/downloads/ssl/ssl-cipher-cs-a4-02.pdf

Sri_Narasimha_11 · ‎06-Apr-2023

Hi @CA_Valli

Thanks for the assistance. Yeah, the mentioned ciphers to be excluded.

When I try to create a new Cipher Rule with the below syntax, I'm getting 'Cipher String is Invalid' error.

DEFAULT:!TLSV1:!TLSV1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA

Am I missing something. Can you please assist?

CA_Valli · ‎06-Apr-2023

Try this?

 tmm --clientciphers 'DEFAULT:!TLSv1:!TLSv1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA'

Sri_Narasimha_11 · ‎15-Apr-2023

Hi @CA_Valli

Sorry for the late reply. I've no issues in getting the supported cipher info via CLI (as provided above) but when I try to configure the below ciphers suites (Local Traffic -> Ciphers -> New Cipher Rule), I'm getting 'Cipher String is Invalid' error.

DEFAULT:!TLSv1:!TLSv1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!EDH-RSA-DES-CBC3-SHA

Am I missing something? Can you please advise?

CA_Valli · ‎17-Apr-2023

I'm running v15.1.8 and the following matches.

DEFAULT:!TLSv1:!TLSv1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256

I built it starting from DEFAULT:!TLSv1:!TLSv1_1 and excluding explicitly the suites from your comment that still were in the list. (I noticed there was 3 repetitions; also EDH-RSA-DES-CBC3-SHA did not show up in cipher rule so there was no need to specify it)

DevCentral

Disabling Weak Ciphers

MFA required on DevCentral