Client SSL Profile Cipher...Disable DES-CBC3-SHA.
One of my sites has just be penetration tested and a low risk was identified. The following weak ciphers were supported Testing SSL server mysite.fqdn on port 443 Supported Server Cipher(s): Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA **Accepted TLSv1 168 bits DES-CBC3-SHA** Prefered Server Cipher(s): TLSv1 256 bits AES256-SHA It is the TLSv1 168 bits DES-CBC3-SHA that they are not happy about, but I am not sure how to disable it in the SSL Client profile. They also suggest disabling any ciphers using 128 bit keys - so I guess TLSv1 128 bits AES128-SH needs to go as well. The current setting is TLSv1_1:TLSv1_2:ECDHE+AES-GCM:NATIVE:!ADH:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!SSLv3:!SSLv2:@STRENGTH Is there a document that clearly shows how to achieve both - I struggle with these LTM's at the best of times. 😞 I am running BIG-IP v11.6.0 (Build 5.0.429) if that has a bearing. Any help offered will be appreciated. Thanks, Martin
Disable DHE Ciphers - SSL Parent Profile
I'm currently running 11.6.0 on most of my devices and am looking to upgrade passed version 12.0 in the near future. Looking at the iHealth Upgrade Advisor, I need to disable DHE ciphers on all of my Server SSL Profiles before upgrading. I added DEFAULT:!EXPORT:!DHE to one of my Server SSL Profiles and it is no longer getting flagged in iHealth. Can I add that string to the Server SSL parent profile, or do I have to add that to each profile individually? Will updating the parent profile have any adverse effects on my other profiles, or would the Cipher settings be the only thing that changes?
