Forum Discussion

Qasim's avatar
Qasim
Icon for Cirrostratus rankCirrostratus
Jun 12, 2020

Forcing the use of tls1.2

Hi,

I want to disable all but tlsv1.2 and also want to disable the use of DHE.

 

Would just typing the following in ciphers list of a client profile will be enough?

TLSV1_2:!DHE

 

Please let me know what you think.

 

Thanks

5 Replies

  • NAG's avatar
    NAG
    Icon for Cirrostratus rankCirrostratus

    Hi Qasim,

     

    Yeah, its a typo.. it should be DHE.

     

    #tmm -clientciphers 'default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DHE'

     

    If it answered your question, could you mark it as resolved please

     

    Thank you,

    Nag

  • HI Qasim,

     

    You have to set your ssl profil like that:

    DEFAULT:!3DES:!DHE

     

    Then in order to allow only TLS1.2 you can do it using the GUI:

     

     

    keep me in touch if you need more details.

     

    regards

  • NAG's avatar
    NAG
    Icon for Cirrostratus rankCirrostratus

    HI Qasim,

     

    Here is the cipher string you can use:

     

    default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DEH

     

    Hope this helps.

     

    YOu can check on all the supported ciphers using following command.

     

    #tmm -clientciphers 'default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DEH'

     

     

    Hope this helps. Let me know if you have any questions.

     

    Nag

    • Qasim's avatar
      Qasim
      Icon for Cirrostratus rankCirrostratus

      HI,

      thank you for your swift response that much appreciated.

      Wondering if the !DEH is a typo and that should be !DHE?

      Also, what if I was to only allow the following suites for a particular VS:

      : 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA

      33: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA

      34: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA

      35: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA

      36: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA

      37: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA

      38: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA

      39: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA

      40: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA

      41: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA

      42: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA

      43: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA

      44: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA

  • Qasim's avatar
    Qasim
    Icon for Cirrostratus rankCirrostratus

    hi Yousef.

     

    that was very helpful and yes it worked. thank you for your help.