12-Jun-2020 02:47
Hi,
I want to disable all but tlsv1.2 and also want to disable the use of DHE.
Would just typing the following in ciphers list of a client profile will be enough?
TLSV1_2:!DHE
Please let me know what you think.
Thanks
12-Jun-2020 04:50
HI Qasim,
Here is the cipher string you can use:
default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DEH
Hope this helps.
YOu can check on all the supported ciphers using following command.
#tmm -clientciphers 'default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DEH'
Hope this helps. Let me know if you have any questions.
Nag
12-Jun-2020 04:58
HI,
thank you for your swift response that much appreciated.
Wondering if the !DEH is a typo and that should be !DHE?
Also, what if I was to only allow the following suites for a particular VS:
: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
33: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
34: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
35: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
36: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
37: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
38: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
39: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
40: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
41: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
42: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA
43: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA
44: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA
12-Jun-2020 05:25
Hi Qasim,
Yeah, its a typo.. it should be DHE.
#tmm -clientciphers 'default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DHE'
If it answered your question, could you mark it as resolved please
Thank you,
Nag
12-Jun-2020 06:01
HI Qasim,
You have to set your ssl profil like that:
DEFAULT:!3DES:!DHE
Then in order to allow only TLS1.2 you can do it using the GUI:
keep me in touch if you need more details.
regards