Forum Discussion
nitass_89166
Sep 04, 2014Noctilucent
i normally see people using cipher string from this sol if there is no special requirement.
sol13171: Configuring the cipher strength for SSL profiles (11.x)
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html
for tcp timestamp, is it this one?
TCP timestamp response
http://www.rapid7.com/db/vulnerabilities/generic-tcp-timestamp
sol8072: Obtaining uptime information from TCP timestamps
http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8072.html
- Moinul_RonySep 06, 2014AltostratusThanks, on another point PCI scan pointed out absense of "Forward Secrecy with the reference browsers". Can this be implemented/enforced via F5?
- nitass_89166Sep 06, 2014Noctilucentdh is natively supported in 11.2.1 Diffie-Hellman SSL key exchange cipher The Diffie-Hellman SSL key exchange cipher, which provides perfect forward secrecy (PFS), is now included natively. This provides better performance for configurations using Diffie-Hellman, especially on physical platforms that have hardware SSL acceleration. Release Note: BIG-IP LTM and TMOS 11.2.1 http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-2-1.html
- Moinul_RonySep 06, 2014AltostratusUnfortunately we are using 11.2.0. Any chance to enforce DH ?
- nitass_89166Sep 06, 2014Noctilucentdh is supported in compat ssl stack in 11.2.0. sol13163: SSL ciphers supported on BIG-IP platforms (11.x) http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html
- Moinul_RonySep 07, 2014Altostratussorry but enabling COMPAT cipher brought down the grading to F in SSLLABS.
- nitass_89166Sep 07, 2014Noctilucentyou can list cipher using tmm --clientciphers command. tmm --clientciphers (cipher string)