Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

How to disable weak cipher from Client SSL Profile

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus

‎03-Oct-2018 05:01

Hi, We have disabled few ciphers and we have rating "A" in qualys ssl checker portal. We have a requirement to disable weak ciphers as well.

 

Could some one advice how to disable weak ciphers. Please find the attachment for reference.

 

Thanks

 

0691T000006ApuMQAS.jpg

 

Labels:
1 ACCEPTED SOLUTION

Go to solution
Lokesh_R_365525
Nimbostratus
Nimbostratus

‎03-Oct-2018 06:50

By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.

 

View solution in original post

0 Kudos
25 REPLIES 25

Go to solution
ka1021_129079
Altocumulus
Altocumulus

‎03-Oct-2018 06:31

Hi Sriram,

 

Your can disable weak ciphers by putting following cipher string in clientssl_profile Local Traffic ›› Profiles : SSL : Client >> Ciphers (Cipher String) DEFAULT:!RSA:!DES:!3DES:!DHE

 

Also have a look at below KB articles: For 11.x - https://support.f5.com/csp/article/K13171 For 12.x - https://support.f5.com/csp/article/K13170

 

Regards, Kaustubh

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to ka1021_129079

‎03-Oct-2018 23:20

Hi Kaustubh,

 

Thanks for your suggestions. I will update you once the changes has been made.

 

thanks Sriram

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to ka1021_129079

‎04-Oct-2018 00:01

0691T000006AqGTQA0.jpg Hi Kaustubh,

 

I have made the changes suggested by you and i got the below output from ssl checker.

 

Thanks for your suggestions

 

Regards Sriram

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to ka1021_129079

‎04-Oct-2018 00:08

Hi Kaustubh,

 

After the change the TLS 1.0,1.1 was enabled.

 

Our requirement is to have TLS 1.2 alone and rest all protocols should be disable.

 

Please suggest a cipher for this requirement. 0691T000006AqGSQA0.jpg

 

0 Kudos

Go to solution
ka1021_129079
Altocumulus
Altocumulus
In response to ka1021_129079

‎04-Oct-2018 00:16

Ok, thanks for update Sriram. Good to know that you got the solution.

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to ka1021_129079

‎04-Oct-2018 00:19

but the ssl rating changed from A to F now.

 

0 Kudos

Go to solution
ka1021_129079
Altocumulus
Altocumulus
In response to ka1021_129079

‎04-Oct-2018 00:25

try this: DEFAULT:!RSA:!DES:!3DES:!DHE:!TLSv1:!TLSv1_1

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to ka1021_129079

‎04-Oct-2018 00:33

Thanks a ton. It worked. Now got A rating and TLs 1.2 alone.

 

0 Kudos

Go to solution
ka1021
Altostratus
Altostratus

‎03-Oct-2018 06:31

Hi Sriram,

 

Your can disable weak ciphers by putting following cipher string in clientssl_profile Local Traffic ›› Profiles : SSL : Client >> Ciphers (Cipher String) DEFAULT:!RSA:!DES:!3DES:!DHE

 

Also have a look at below KB articles: For 11.x - https://support.f5.com/csp/article/K13171 For 12.x - https://support.f5.com/csp/article/K13170

 

Regards, Kaustubh

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to ka1021

‎03-Oct-2018 23:20

Hi Kaustubh,

 

Thanks for your suggestions. I will update you once the changes has been made.

 

thanks Sriram

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to ka1021

‎04-Oct-2018 00:01

0691T000006AqGTQA0.jpg Hi Kaustubh,

 

I have made the changes suggested by you and i got the below output from ssl checker.

 

Thanks for your suggestions

 

Regards Sriram

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to ka1021

‎04-Oct-2018 00:08

Hi Kaustubh,

 

After the change the TLS 1.0,1.1 was enabled.

 

Our requirement is to have TLS 1.2 alone and rest all protocols should be disable.

 

Please suggest a cipher for this requirement. 0691T000006AqGSQA0.jpg

 

0 Kudos

Go to solution
ka1021
Altostratus
Altostratus
In response to ka1021

‎04-Oct-2018 00:16

Ok, thanks for update Sriram. Good to know that you got the solution.

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to ka1021

‎04-Oct-2018 00:19

but the ssl rating changed from A to F now.

 

0 Kudos

Go to solution
ka1021
Altostratus
Altostratus
In response to ka1021

‎04-Oct-2018 00:25

try this: DEFAULT:!RSA:!DES:!3DES:!DHE:!TLSv1:!TLSv1_1

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to ka1021

‎04-Oct-2018 00:33

Thanks a ton. It worked. Now got A rating and TLs 1.2 alone.

 

0 Kudos

Go to solution
Lokesh_R
Nimbostratus
Nimbostratus

‎03-Oct-2018 06:50

By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to Lokesh_R

‎04-Oct-2018 00:02

Hi Lokesh,

 

Thanks for your suggestions.

 

After making the changes, i got the below output.0691T000006AqGQQA0.jpg

 

0 Kudos

Go to solution
Lokesh_R_365525
Nimbostratus
Nimbostratus

‎03-Oct-2018 06:50

By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.

 

0 Kudos

Go to solution
Sriram_Shanmuga
Altostratus
Altostratus
In response to Lokesh_R_365525

‎04-Oct-2018 00:02

Hi Lokesh,

 

Thanks for your suggestions.

 

After making the changes, i got the below output.0691T000006AqGQQA0.jpg

 

0 Kudos

Go to solution
RaghavendraSY
Altostratus
Altostratus

‎03-Oct-2018 07:02

Please try below one: DEFAULT:!SSLv2:!SSLv3:!TLSv1:!RC4:!RSA:!ADH:!EXP

 

0 Kudos

Go to solution
Dhebal76
Nimbostratus
Nimbostratus

‎08-Jun-2021 10:48

0691T00000CpAz9QAF.pngHello.

 

I realize this article is 3 years old, but i am facing a similar issue. From our Sec team, they want us to disable CBC Ciphers. They are showing up as weak on a Qualys SSL Scan. I have tried using "!CBC" in my cipher string, but it wont let me save that. Currently we use the following in our Cipher Strings in the SSL Profile below. Any help would be appreciated

 

DEFAULT:!TLSv1:!TLSv1_1:!DES:!RC4:!DHE

 

 

0 Kudos

Go to solution
Mmathew-AMS
Nimbostratus
Nimbostratus
In response to Dhebal76

‎17-Feb-2022 12:17

Hi Dhebal76, did you get to solve this problem. Pls share the Cypher string used

0 Kudos

Go to solution
iHugoF
Nimbostratus
Nimbostratus
In response to Mmathew-AMS

‎18-Feb-2022 13:17

This worked for me:

ECDHE:!RSA:ECDHE_ECDSA:!SSLV3:!RC4:!EXP:!DES:!3DES:TLSV1_3:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256

Go to solution
RockBD
Nimbostratus
Nimbostratus
In response to iHugoF

‎24-Oct-2022 23:24

Thanks for the full steatment which will help a lot to exclude the Cipher Suites.

My question is if i disable those Cipher Suites that means user can't communicate with that Cipher Suites to my web server. So, isn't that lead to limtating access to the site my disabling those cihper Suites.

0 Kudos
Copyright © 2023 Khoros, LLC