Forum Discussion
25 Replies
- ka1021Altostratus
Hi Sriram,
Your can disable weak ciphers by putting following cipher string in clientssl_profile Local Traffic ›› Profiles : SSL : Client >> Ciphers (Cipher String) DEFAULT:!RSA:!DES:!3DES:!DHE
Also have a look at below KB articles: For 11.x - https://support.f5.com/csp/article/K13171 For 12.x - https://support.f5.com/csp/article/K13170
Regards, Kaustubh
- Sriram_ShanmugaAltostratus
Hi Kaustubh,
Thanks for your suggestions. I will update you once the changes has been made.
thanks Sriram
- Sriram_ShanmugaAltostratus
Hi Kaustubh,
I have made the changes suggested by you and i got the below output from ssl checker.
Thanks for your suggestions
Regards Sriram
- Sriram_ShanmugaAltostratus
Hi Kaustubh,
After the change the TLS 1.0,1.1 was enabled.
Our requirement is to have TLS 1.2 alone and rest all protocols should be disable.
Please suggest a cipher for this requirement.
- ka1021_129079Altocumulus
Hi Sriram,
Your can disable weak ciphers by putting following cipher string in clientssl_profile Local Traffic ›› Profiles : SSL : Client >> Ciphers (Cipher String) DEFAULT:!RSA:!DES:!3DES:!DHE
Also have a look at below KB articles: For 11.x - https://support.f5.com/csp/article/K13171 For 12.x - https://support.f5.com/csp/article/K13170
Regards, Kaustubh
- Sriram_ShanmugaAltostratus
Hi Kaustubh,
Thanks for your suggestions. I will update you once the changes has been made.
thanks Sriram
- Sriram_ShanmugaAltostratus
Hi Kaustubh,
I have made the changes suggested by you and i got the below output from ssl checker.
Thanks for your suggestions
Regards Sriram
- Sriram_ShanmugaAltostratus
Hi Kaustubh,
After the change the TLS 1.0,1.1 was enabled.
Our requirement is to have TLS 1.2 alone and rest all protocols should be disable.
Please suggest a cipher for this requirement.
- Lokesh_R_365525Nimbostratus
By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.
- Sriram_ShanmugaAltostratus
Hi Lokesh,
Thanks for your suggestions.
After making the changes, i got the below output.
- Lokesh_RNimbostratus
By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.
- Sriram_ShanmugaAltostratus
Hi Lokesh,
Thanks for your suggestions.
After making the changes, i got the below output.
- RaghavendraSYAltostratus
Please try below one: DEFAULT:!SSLv2:!SSLv3:!TLSv1:!RC4:!RSA:!ADH:!EXP
- Dhebal76Nimbostratus
Hello.
I realize this article is 3 years old, but i am facing a similar issue. From our Sec team, they want us to disable CBC Ciphers. They are showing up as weak on a Qualys SSL Scan. I have tried using "!CBC" in my cipher string, but it wont let me save that. Currently we use the following in our Cipher Strings in the SSL Profile below. Any help would be appreciated
DEFAULT:!TLSv1:!TLSv1_1:!DES:!RC4:!DHE
- Mmathew-AMSNimbostratus
Hi Dhebal76, did you get to solve this problem. Pls share the Cypher string used
- iHugoFNimbostratus
This worked for me:
ECDHE:!RSA:ECDHE_ECDSA:!SSLV3:!RC4:!EXP:!DES:!3DES:TLSV1_3:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256