Forum Discussion
veato
Nimbostratus
NimbostratusExcluding Cipher Suites
I have been given a list of cipher suites which have been flagged as weak and crossed referenced this with the published list of ciphers for BIG-IP v12. I now need to exclude these ciphers from the default stack and whilst I am aware of the method e.g. DEFAULT:!TLSv1 I'm not sure of the string to exclude the following specifically:
TLS1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS1.1
TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Can anyone advise?
AneshCirrostratus
Try
DEFAULT:!3DES:!DHE
aandreyy_293459Hi have similar problem with ciphers, after scanning with SSL labs getting some week ciphers errors, lets say for TLS1.1:
LS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK
LS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK112
ciphers used in LTM are:
tmm --clientciphers 'DEFAULT:!EXPORT40:!EXP:!LOW:!DH:!DHE:!SSLv3:!MD5:!RC4-SHA:!ADH' | grep TLS1.1
4: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
9: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
13: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA
20: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
24: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
27: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA
can not see here any 3DES ciphers so not sure which ones should be disabled? Do i need disable DES adding !DES?
thanks