Forum Discussion
Hi G.Ring,
removing DES completely from the cipher list, will have certain compability impact. If you drop DES ciphers you'll also drop any WinXP/IE8 and other legacy browser which won't support AES.
By setting DES cipher to the very buttom of the list, you'll make sure that every modern browser (the majority at these day) will be still protected against the Sweet23 attack. Only legacy browser may become a victim of Sweet23 then, but becomming a victim of an attack will be still very unlikely since the Sweet23 attack requires a very large amount of sniffed network traffic.
But thanks for pointing out, that the official F5 recommendation is to limit the the Renegotiation Size setting to 1 GB, so that no one can collect enought data from the same SSL session to pull off any birthday calculations.
Your thoughts?
Remove DES completely if compatibility isn't a concern, or move DES to the buttom of your cipher list while enforcing Renegotiation Size limits of 1 GB. ;-)
Cheers, Kai