How to make strong the weak cipher

Question

Hi AllAlready I have a cipher suite which already assigned. But in SSL Labs I found Cipher Suites# TLS 1.2 (suites in server-preferred order)TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)&nbsp;&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS128TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)&nbsp;&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK128TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)&nbsp;&nbsp;ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS&nbsp;&nbsp;&nbsp;WEAK256TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)&nbsp;&nbsp;WEAK128TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)&nbsp;&nbsp;WEAK256TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)&nbsp;&nbsp;WEAK128TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)&nbsp;&nbsp;WEAK128TLS_RSA_WITH_AES_256_CBC_SHA (0x35)&nbsp;&nbsp;WEAK256TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)&nbsp;&nbsp;WEAK256How to make these weak ciphers stronger ...Thanks in Advance.

fallout1984 · Answer

Saidur,&nbsp;Here is a suggestion for ciphers to make a cert more secure (ie. to get an "A+" when checked via ssllabs.com):&nbsp;DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH&nbsp;And then for the options, disallow:&nbsp; TLSv1, TLSv1.1, SSLv2 and SSLv3.&nbsp;What the "@STRENGTH" option does is prioritize the stronger ciphers. You could add that at the end of your cipher list and that would help, but ideally you want to disallow the weaker ciphers.&nbsp;You can look at the preferred cipher list and order that a setting will give you by logging into your F5 via the CLI and entering this command (using DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH as an example):&nbsp;tmm --clientciphers 'DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH'&nbsp;Hopefully, this helps.Alan&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

Forum Discussion

How to make strong the weak cipher

1 Reply

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Lightboard Lessons: Choosing Strong vs Weak Ciphers

Strong Authentication

Disabling Weak Ciphers

Making EKS Anywhere Highly Available and Secure

Cipher suite mismatch advertisement/warning