cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Weak Cipher Disabling

Jawad_Mukhtar
Altostratus
Altostratus

Hi Team,

 

I am trying to Disable Weak Cipher still getting following result.

 

NULL ciphers (no encryption)                  not offered (OK)

Anonymous NULL Ciphers (no authentication)   not offered (OK)

Export ciphers (w/o ADH+NULL)                 not offered (OK)

LOW: 64 Bit + DES, RC[2,4] (w/o export)       offered (NOT ok)

Triple DES Ciphers / IDEA                     not offered (OK)

Average: SEED + 128+256 Bit CBC ciphers       offered

Strong encryption (AEAD ciphers)              offered (OK)

 

I have used following Ciphers list.

 

TLSV1_2:!DES:!3DES:!ADH:!EXPORT

 

What I need to add more to block LOW: 64 Bit + DES, RC[2,4] (w/o export)  

 

 

9 REPLIES 9

Angelo_V
Cirrus
Cirrus

Hi,

what is the release of BIG-IP?

 

Angelo

Hussain_Tuta
Nimbostratus
Nimbostratus

Hi,

 

you can try the below

 

DEFAULT:!TLSv1:!RSA:!TLSv1_1:!3DES:!AES:!CAMELLIA:!DHE:@STRENGTH

Jawad_Mukhtar
Altostratus
Altostratus

BIP-IP release is 14.0.0.2

Hussian's answer should be correct.

Jawad_Mukhtar
Altostratus
Altostratus

NULL ciphers (no encryption)                 not offered (OK)

Anonymous NULL Ciphers (no authentication)   not offered (OK)

Export ciphers (w/o ADH+NULL)                not offered (OK)

LOW: 64 Bit + DES, RC[2,4] (w/o export)      offered (NOT ok)

Triple DES Ciphers / IDEA                    not offered (OK)

Average: SEED + 128+256 Bit CBC ciphers      offered

Strong encryption (AEAD ciphers)             offered (O

 

 

Earlier it was giving weak cipher for Anonmymous, low and Tipple DES.

 

I entered below:

 

TLSV1_2:!DES:!3DES:!ADH:!EXPORT

 

After this they rechecked and they are just getting 1 again

 

NULL ciphers (no encryption)                 not offered (OK)

Anonymous NULL Ciphers (no authentication)   not offered (OK)

Export ciphers (w/o ADH+NULL)                not offered (OK)

LOW: 64 Bit + DES, RC[2,4] (w/o export)      offered (NOT ok)

Triple DES Ciphers / IDEA                    not offered (OK)

Average: SEED + 128+256 Bit CBC ciphers      offered

Strong encryption (AEAD ciphers)             offered (OK)

 

 

What value I need to Add more to above ciphers.

 

Second what we just have only to enable TLSV1.2 only what I did in above ciphers.

 

 

 

 

Samir
Nacreous
Nacreous

You can try something like this.

​DEFAULT:ECDHE:!RSA:!DHE:!3DES

LEt us know the results.

Jawad_Mukhtar
Altostratus
Altostratus

What is purpose of using DEFAULT in start is it must of use I have TLSv1.2 turned on that is required ​

Jawad_Mukhtar
Altostratus
Altostratus

What is purpose of using DEFAULT in start is it must of used as I have to enable TLSv1.2 turned on

Samir
Nacreous
Nacreous

F5 is already disabled all ssl n tls1.0 n tls1.1 ciphers in v14.x.

​​

I don't thing any difference in keeping DEFAULT in begining.

You can check in bash mode

tmm --clientciphers 'DEFAULT:TLSV1_2:!DES:!3DES:!ADH:!EXPORT'

​vs

tmm --clientciphers 'TLSV1_2:!DES:!3DES:!ADH:!EXPORT'