Karimm
Nimbostratus
NimbostratusTLS weak Qualys report
Hi guys, Please help to identify the reason why Qualys scan gives this result about TLS protocol.
Is there anything to change on the SSL profiles ?
Thank you!!
Forum Discussion
4 Replies
CLI Example of Creating CIPHERS Rules and then include those CIPHER Rules in CIPGER Groups
CAN be created from CLI and can be applied as and when required, once created the Cipher Group now you can apply those groups in CLIENT SSL profile or Server SSLprofiles:
Here is an example
==========
STEP 1
==========
*************************************************************************************************************
Check LIST command to see the ocntent of CIPHER Rule name TESTBOX1_STANDARD-CIPHER-RULE on /Common partition
**************************************************************************************************************root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE
ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE {
cipher "ECDHE-RSA-AES128-GCM-SHA256;ECDHE-RSA-AES128-SHA256;ECDHE-RSA-AES256-GCM-SHA384;ECDHE-RSA-AES256-SHA384;AES128-GCM-SHA256;AES128-SHA256;AES256-GCM-SHA384;AES256-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256;DHE-RSA-AES256-SHA256;DHE-RSA-AES256-GCM-SHA384;DHE-RSA-AES128-SHA256;DHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES256-SHA384;ECDHE-ECDSA-AES256-GCM-SHA384;ECDHE-ECDSA-AES128-SHA256;TLS13-AES128-GCM-SHA256;TLS13-AES256-GCM-SHA384"
description TESTBOX1_STANDARD-CIPHER-RULE
dh-groups DEFAULT
signature-algorithms DEFAULT
}==========
STEP 2
==========
*************************************************************************************************************
Check LIST command to see the ocntent of CIPHER GROUP name TESTBOX1_STANDARD-CIPHER-GROUP on /Common partition
*************************************************************************************************************root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP
ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP {
allow {
TESTBOX1_STANDARD-CIPHER-RULE { }
}
description TESTBOX1-STANDARD-CIPHER-GROUP
ordering strength
}
==========
STEP 3
==========
*************************************************************************************************************
Check SHOW command to see the ocntent of CIPHER Rule name TESTBOX1_STANDARD-CIPHER-RULE on /Common partition
**************************************************************************************************************root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE
--------------------
Ltm::Cipher::Rule
--------------------
Name TESTBOX1_STANDARD-CIPHER-RULE
Cipher Suites ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
DH-Groups DEFAULT
Signature Algorithms DEFAULT
==========
STEP 4
==========
*************************************************************************************************************
Check SHOW command to see the ocntent of CIPHER Group name TESTBOX1_STANDARD-CIPHER-GROUP on /Common partition
**************************************************************************************************************
root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP---------------------------
Ltm::Cipher::Group
---------------------------
Name TESTBOX1-STANDARD-CIPHER-GROUP
Cipher Result ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:TLS13-AES256-GCM-SHA384/TLS1.3:ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3
DH-Groups Result P384:P256:X25519
Signature Algorithms Result ECDSA-SHA512:RSA-PSS-SHA512:RSA-PKCS1-SHA512:ECDSA-SHA384:RSA-PSS-SHA384:RSA-PKCS1-SHA384:ECDSA-SHA256:RSA-PSS-SHA256:RSA-PKCS1-SHA256
==========
STEP 4
==========
*************************************************************************************************************
You can use [ load sys config merge from-terminal ] command to insert the CIPHER RULE and CIPHER GROUP from CLI
**************************************************************************************************************root@(TESTBOX1-mgt)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ltm cipher rule /Common/TESTBOX1_STANDARD-CIPHER-RULE {
cipher "ECDHE-RSA-AES128-GCM-SHA256;ECDHE-RSA-AES128-SHA256;ECDHE-RSA-AES256-GCM-SHA384;ECDHE-RSA-AES256-SHA384;AES128-GCM-SHA256;AES128-SHA256;AES256-GCM-SHA384;AES256-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256;DHE-RSA-AES256-SHA256;DHE-RSA-AES256-GCM-SHA384;DHE-RSA-AES128-SHA256;DHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES256-SHA384;ECDHE-ECDSA-AES256-GCM-SHA384;ECDHE-ECDSA-AES128-SHA256;TLS13-AES128-GCM-SHA256;TLS13-AES256-GCM-SHA384"
description TESTBOX1_STANDARD-CIPHER-RULE
dh-groups DEFAULT
signature-algorithms DEFAULT
}ltm cipher group /Common/TESTBOX1-STANDARD-CIPHER-GROUP {
allow {
/Common/TESTBOX1_STANDARD-CIPHER-RULE { }
}
description TESTBOX1-STANDARD-CIPHER-GROUP
ordering strength
}
Loading configuration...==========
STEP 5
==========
*************************************************************************************************************
You can use [ save sys config partitions all ] to save configuration in all the partitions && verify the
other list and show comands again
**************************************************************************************************************root@(TESTBOX1-mgt)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# save sys config partitions all
Saving running configuration...
/config/bigip.conf
/config/bigip_base.confroot@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE
ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE {
cipher "ECDHE-RSA-AES128-GCM-SHA256;ECDHE-RSA-AES128-SHA256;ECDHE-RSA-AES256-GCM-SHA384;ECDHE-RSA-AES256-SHA384;AES128-GCM-SHA256;AES128-SHA256;AES256-GCM-SHA384;AES256-SHA256;ECDHE-ECDSA-AES128-GCM-SHA256;DHE-RSA-AES256-SHA256;DHE-RSA-AES256-GCM-SHA384;DHE-RSA-AES128-SHA256;DHE-RSA-AES128-GCM-SHA256;ECDHE-ECDSA-AES256-SHA384;ECDHE-ECDSA-AES256-GCM-SHA384;ECDHE-ECDSA-AES128-SHA256;TLS13-AES128-GCM-SHA256;TLS13-AES256-GCM-SHA384"
description TESTBOX1_STANDARD-CIPHER-RULE
dh-groups DEFAULT
signature-algorithms DEFAULT
}root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP
ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP {
allow {
TESTBOX1_STANDARD-CIPHER-RULE { }
}
description TESTBOX1-STANDARD-CIPHER-GROUP
ordering strength
}
root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher rule TESTBOX1_STANDARD-CIPHER-RULE--------------------
Ltm::Cipher::Rule
--------------------
Name TESTBOX1_STANDARD-CIPHER-RULE
Cipher Suites ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3:TLS13-AES256-GCM-SHA384/TLS1.3
DH-Groups DEFAULT
Signature Algorithms DEFAULT
root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)#
root@(TESTBOX1-mgt)(cfg-sync In Sync)(Active)(/Common)(tmos)# show ltm cipher group TESTBOX1-STANDARD-CIPHER-GROUP---------------------------
Ltm::Cipher::Group
---------------------------
Name TESTBOX1-STANDARD-CIPHER-GROUP
Cipher Result ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA256/TLS1.2:DHE-RSA-AES256-SHA256/TLS1.2:DHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2:TLS13-AES256-GCM-SHA384/TLS1.3:ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:TLS13-AES128-GCM-SHA256/TLS1.3
DH-Groups Result P384:P256:X25519
Signature Algorithms Result ECDSA-SHA512:RSA-PSS-SHA512:RSA-PKCS1-SHA512:ECDSA-SHA384:RSA-PSS-SHA384:RSA-PKCS1-SHA384:ECDSA-SHA256:RSA-PSS-SHA256:RSA-PKCS1-SHA256HTH
Hi Karimm ,
- If you run this Scan this server/Application through virtual server hosted by F5 , you need to strengthen your ssl ciphers and remove all weak ciphers.
Read this Article :
https://support.f5.com/csp/article/K01770517
Also Look at this :
https://support.f5.com/csp/article/K13171
and this as well , to apply your new strong ciphers :
https://support.f5.com/csp/article/K10866411
- Recently , I have strenthened one of our customer F5 appliances against weak ciphers , and definitly I can share it with you.
Regards
KarimmHi Altocumulus,
Thanks a lot! can you share how you did it with your client?
Thank you!
Hi Karimm ,
Ok
First :
> open (local traffic >ciphers and select Rules) ,
and Create rule like this :
> Then Create Cipher Group :> Then modify your Client ssl profile That attached on your virtual servers ( virtual server that you did the "Qualys " Test on , associate it with created cipher group.
clarified here :Note:
> This is the used cipher in Rule :
DEFAULT:!TLSV1:!TLSV1_1:!AES
This Rule excludes TLSv1 , TLSV1.1, CBC
> this is a More Secure Cipher :
ALL:!ADH:!LOW:!EXP:!NULL:!RC4:!DES:!3DES:!SHA:!SHA256:!SHA384:!MD5+HIGH:+MEDIUM
use any of them.
But Note :
maybe some of your Clients have an old devices and still Negotiate with weak ciphers , and this may impact them , but you are securing yourself against attacks and performing what is recommended by Qualys Test by removing all Weak Ciphers.
> These ciphers restrict users to negotiate with your Application that published on Virtual server.> if you run your Qualys test again you shouldn’t see the weak ciphers again.
Regards
