cancel
Showing results for 
Search instead for 
Did you mean: 

How to disable weak cipher from Client SSL Profile

Sriram_Shanmuga
Altostratus
Altostratus

Hi, We have disabled few ciphers and we have rating "A" in qualys ssl checker portal. We have a requirement to disable weak ciphers as well.

 

Could some one advice how to disable weak ciphers. Please find the attachment for reference.

 

Thanks

 

0691T000006ApuMQAS.jpg

 

1 ACCEPTED SOLUTION

Lokesh_R_365525
Nimbostratus
Nimbostratus

By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.

 

View solution in original post

24 REPLIES 24

ka1021_129079
Altocumulus
Altocumulus

Hi Sriram,

 

Your can disable weak ciphers by putting following cipher string in clientssl_profile Local Traffic ›› Profiles : SSL : Client >> Ciphers (Cipher String) DEFAULT:!RSA:!DES:!3DES:!DHE

 

Also have a look at below KB articles: For 11.x - https://support.f5.com/csp/article/K13171 For 12.x - https://support.f5.com/csp/article/K13170

 

Regards, Kaustubh

 

Hi Kaustubh,

 

Thanks for your suggestions. I will update you once the changes has been made.

 

thanks Sriram

 

0691T000006AqGTQA0.jpg Hi Kaustubh,

 

I have made the changes suggested by you and i got the below output from ssl checker.

 

Thanks for your suggestions

 

Regards Sriram

 

Hi Kaustubh,

 

After the change the TLS 1.0,1.1 was enabled.

 

Our requirement is to have TLS 1.2 alone and rest all protocols should be disable.

 

Please suggest a cipher for this requirement. 0691T000006AqGSQA0.jpg

 

Ok, thanks for update Sriram. Good to know that you got the solution.

 

but the ssl rating changed from A to F now.

 

try this: DEFAULT:!RSA:!DES:!3DES:!DHE:!TLSv1:!TLSv1_1

 

Thanks a ton. It worked. Now got A rating and TLs 1.2 alone.

 

ka1021
Altostratus
Altostratus

Hi Sriram,

 

Your can disable weak ciphers by putting following cipher string in clientssl_profile Local Traffic ›› Profiles : SSL : Client >> Ciphers (Cipher String) DEFAULT:!RSA:!DES:!3DES:!DHE

 

Also have a look at below KB articles: For 11.x - https://support.f5.com/csp/article/K13171 For 12.x - https://support.f5.com/csp/article/K13170

 

Regards, Kaustubh

 

Hi Kaustubh,

 

Thanks for your suggestions. I will update you once the changes has been made.

 

thanks Sriram

 

0691T000006AqGTQA0.jpg Hi Kaustubh,

 

I have made the changes suggested by you and i got the below output from ssl checker.

 

Thanks for your suggestions

 

Regards Sriram

 

Hi Kaustubh,

 

After the change the TLS 1.0,1.1 was enabled.

 

Our requirement is to have TLS 1.2 alone and rest all protocols should be disable.

 

Please suggest a cipher for this requirement. 0691T000006AqGSQA0.jpg

 

Ok, thanks for update Sriram. Good to know that you got the solution.

 

but the ssl rating changed from A to F now.

 

try this: DEFAULT:!RSA:!DES:!3DES:!DHE:!TLSv1:!TLSv1_1

 

Thanks a ton. It worked. Now got A rating and TLs 1.2 alone.

 

Lokesh_R
Nimbostratus
Nimbostratus

By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.

 

Hi Lokesh,

 

Thanks for your suggestions.

 

After making the changes, i got the below output.0691T000006AqGQQA0.jpg

 

Lokesh_R_365525
Nimbostratus
Nimbostratus

By using DEFAULT:@STRENGTH command you can preferred the ciphers to use only Strength.

 

Hi Lokesh,

 

Thanks for your suggestions.

 

After making the changes, i got the below output.0691T000006AqGQQA0.jpg

 

RaghavendraSY
Altostratus
Altostratus

Please try below one: DEFAULT:!SSLv2:!SSLv3:!TLSv1:!RC4:!RSA:!ADH:!EXP

 

Dhebal76
Nimbostratus
Nimbostratus

0691T00000CpAz9QAF.pngHello.

 

I realize this article is 3 years old, but i am facing a similar issue. From our Sec team, they want us to disable CBC Ciphers. They are showing up as weak on a Qualys SSL Scan. I have tried using "!CBC" in my cipher string, but it wont let me save that. Currently we use the following in our Cipher Strings in the SSL Profile below. Any help would be appreciated

 

DEFAULT:!TLSv1:!TLSv1_1:!DES:!RC4:!DHE

 

 

Hi Dhebal76, did you get to solve this problem. Pls share the Cypher string used

This worked for me:

ECDHE:!RSA:ECDHE_ECDSA:!SSLV3:!RC4:!EXP:!DES:!3DES:TLSV1_3:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-AES256-CBC-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256