cancel
Showing results for 
Search instead for 
Did you mean: 

Forcing the use of tls1.2

Qasim
Cirrostratus
Cirrostratus

Hi,

I want to disable all but tlsv1.2 and also want to disable the use of DHE.

 

Would just typing the following in ciphers list of a client profile will be enough?

TLSV1_2:!DHE

 

Please let me know what you think.

 

Thanks

5 REPLIES 5

NAG
Cirrostratus
Cirrostratus

HI Qasim,

 

Here is the cipher string you can use:

 

default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DEH

 

Hope this helps.

 

YOu can check on all the supported ciphers using following command.

 

#tmm -clientciphers 'default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DEH'

 

 

Hope this helps. Let me know if you have any questions.

 

Nag

Qasim
Cirrostratus
Cirrostratus

HI,

thank you for your swift response that much appreciated.

Wondering if the !DEH is a typo and that should be !DHE?

Also, what if I was to only allow the following suites for a particular VS:

: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA

33: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA

34: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA

35: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA

36: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA

37: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA

38: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA

39: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA

40: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA

41: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA

42: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA

43: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA

44: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA

NAG
Cirrostratus
Cirrostratus

Hi Qasim,

 

Yeah, its a typo.. it should be DHE.

 

#tmm -clientciphers 'default:!TSLv1:!TSLv1_1:!TSLv1_1::!TSLv1_3:!DTSLv1:!DHE'

 

If it answered your question, could you mark it as resolved please

 

Thank you,

Nag

youssef1
Cumulonimbus
Cumulonimbus

HI Qasim,

 

You have to set your ssl profil like that:

DEFAULT:!3DES:!DHE

 

Then in order to allow only TLS1.2 you can do it using the GUI:

 0691T000008tdD6QAI.png

 

keep me in touch if you need more details.

 

regards

Qasim
Cirrostratus
Cirrostratus

hi Yousef.

 

that was very helpful and yes it worked. thank you for your help.