cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

What Cipher to be used incase of POODLE/BEAST/SWEET32

Rose
Altostratus
Altostratus

Am working on Big IP 11.5.x Version , where am asked to fix the vulnerabilities on many of the below attacks.

 

TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)

TLS/SSL Server Does Not Support Any Strong Cipher Algorithms

TLS/SSL Server is enabling the BEAST attack  

TLS/SSL Server is enabling the POODLE attack

TLS/SSL Server Supports 3DES Cipher Suite

TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)  

TLS/SSL Server Supports SSLv3

TLS/SSL Server Supports The Use of Static Key Ciphers  

Untrusted TLS/SSL server X.509 certificate

 

Here's what I am currently using - !RC4:!3DES:!RSA+AES:!SSLv2:!SSLv3:!TLSv1_1:ECDHE+AES-GCM 

 

However, this isn't stopping the above attacks. Could somebody tell what cipher suit could be used ?

1 REPLY 1

Samir
Nacreous
Nacreous

Upgrade the load balancer to mitigate major attack types.

 

All the questions can be solved except "Untrusted TLS/SSL server X.509 certificate".

 

Below ciphers will help to achieve good SSL Rating in your version.

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:-MD5:-SSLv3:-RC4:!3DES

Try and let us know.