Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Weak Ciphers Supported

Danny_Cabrera_3
Nimbostratus
Nimbostratus

‎09-Jan-2019 15:29

Hello, BIG IP F5 LTM 12.1.2, Hotfix-BIGIP-12.1.2.2.0.276-HF2

 

I have one ssl client profile with the following cipher:DEFAULT:!3DES:!DHE!TLSv1:!TLSv1_1

 

When I perform an SSL scan of the associated domain, it shows as vulnerable:

 

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (DH 1024 bit, WEAK DH Group Size) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (DH 1024 bit, WEAK DH Group Size) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (DH 1024 bit, WEAK DH Group Size)

 

On the same SSL profile, I also configure this chain: !EXPORT:!3DES:!DHE:!DH:!MD5:!SSLV3:!DTLv1:!ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:!TLSv1_1:tlsV1_2

 

I have the same problem ¿Could you help me to fix it?

 

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

 

Labels:
0 Kudos
1 REPLY 1

Surgeon
Legacy Employee
Legacy Employee

‎09-Jan-2019 18:46 - last edited on ‎01-Jun-2023 16:25 by Fog

This is because you DH 1024 bit. big-ip does not support dhe 2048 due to some technical aspects of such type of ciphers. You can disable DHE and use ECDHE instead.

Are you sure you are connecting to big-ip directly? There is not RSA-DHE cipher listed on version 12.1.2 with cipher string you used.

tmm --clientciphers 'DEFAULT:!DHE:!TLSv1:!TLSv1_1:!3DES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
 1:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
 2:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
 3:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
 4:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
 5:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
 6:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
 7:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
 8: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 9: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
10: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
11: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
12: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
13: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
0 Kudos
Copyright © 2023 Khoros, LLC