I have BiGIP 11.2.1 in my test lab and below Cipher suite for SSL profile:
However there are few open weak ciphers when I scan --
[TLS_RSA_WITH_AES_256_CBC_SHA (0x35) ]
[TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) ]
[TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) ]
[TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) ]
Can someone advise if these can be blocked at all in 11.2.1? If yes, please share the ciphers.
So the RSA cipher suite is being deprecated by testing tools like SSLLabs as they don't provide Forward Secrecy: SSL Labs Grading Update: Forward Secrecy, Authenticated Encryption and ROBOT
Running a version such as 11.2.1 in a production scenario raises so many more questions other than "how do I block this cipher?". There are a significant amount of vulnerabilities that have been discovered since this version was released, that have been fixed in later versions.
I would recommend patching to a later supported release at your earliest opportunity.
To answer your question, you could probably disable them, but I don't think that would leave all that many options for usable ciphers. You should test this thoroughly.
Can you please tell how to disable them and I will test it in my Test Lab?
Add !RSA to your ciphers, so it should looks like:
And us Josh said, you will need to patch your system to mitigate a lot of vulnerabilities on your current version.
It gives me an error -
01070311:3: Ciphers list '.....' for profile /Common/.... denies all clients
Looks like in v11.2.1 you don`t have support for ECDHE Key Exchange.
So you can`t disable the RSA because it will limit all possible ciphers.
It`s highly recommended to upgrade your software :)
Can you execute the following command in bash and paste the output:
tmm --clientciphers 'TLSv1_2:!SSLv3:!RC4-SHA:!3DES:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@STRENGTH'
Please pay attention to this article;