03-Jun-2020 03:25
Am working on Big IP 11.5.x Version , where am asked to fix the vulnerabilities on many of the below attacks.
TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)
TLS/SSL Server Does Not Support Any Strong Cipher Algorithms
TLS/SSL Server is enabling the BEAST attack
TLS/SSL Server is enabling the POODLE attack
TLS/SSL Server Supports 3DES Cipher Suite
TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)
TLS/SSL Server Supports SSLv3
TLS/SSL Server Supports The Use of Static Key Ciphers
Untrusted TLS/SSL server X.509 certificate
Here's what I am currently using - !RC4:!3DES:!RSA+AES:!SSLv2:!SSLv3:!TLSv1_1:ECDHE+AES-GCM
However, this isn't stopping the above attacks. Could somebody tell what cipher suit could be used ?
07-Jun-2020 04:42 - last edited on 04-Jun-2023 21:26 by JimmyPackets
Upgrade the load balancer to mitigate major attack types.
All the questions can be solved except "Untrusted TLS/SSL server X.509 certificate".
Below ciphers will help to achieve good SSL Rating in your version.
!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:-MD5:-SSLv3:-RC4:!3DES
Try and let us know.
