24-Mar-2021
02:18
- last edited on
05-Jun-2023
20:06
by
JimmyPackets
Based on security team recommendation, we need to avoid particular ciphers and include a particular cipher.
I used below line in client SSL profile.
DEFAULT:ECDHE-ECDSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA:!AES256-SHA256:!AES128-SHA256:!AES128-SHA:!DES-CBC3-SHA:!ECDHE-RSA-AES256-CBC-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA
I expect ECDHE-ECDSA-AES128-SHA256 to be listed, but when scanning using online tool, I do not see this particular cipher.
Below is list detected by tool:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)DH 1024 bits FSWEAK256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)DH 1024 bits FSWEAK128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)ECDH secp384r1 (eq. 7680 bits RSA) FS256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)ECDH secp384r1 (eq. 7680 bits RSA) FS128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (
0xc028
) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK256Software version: BIG-IP 12.1.5.3 Build 0.16.5 Engineering Hotfix
Please advise what am I missing out.
24-Mar-2021 06:13
If you use the NATIVE cipher list, do you have the same issue as for 12.1 the NATIVE list by default has ECDHE-ECDSA-AES128-SHA256 in version 12.1?
https://support.f5.com/csp/article/K13163