Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Bigip 11.2.1 - weak ciphers

I have BiGIP 11.2.1 in my test lab and below Cipher suite for SSL profile:

TLSv1_2:!SSLv3:!RC4-SHA:!3DES:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@STRENGTH

However there are few open weak ciphers when I scan --

[TLS_RSA_WITH_AES_256_CBC_SHA (0x35) ]

[TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) ]

[TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) ]

[TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) ]

Can someone advise if these can be blocked at all in 11.2.1? If yes, please share the ciphers.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

So the RSA cipher suite is being deprecated by testing tools like SSLLabs as they don't provide Forward Secrecy: SSL Labs Grading Update: Forward Secrecy, Authenticated Encryption and ROBOT

Running a version such as 11.2.1 in a production scenario raises so many more questions other than "how do I block this cipher?". There are a significant amount of vulnerabilities that have been discovered since this version was released, that have been fixed in later versions.

I would recommend patching to a later supported release at your earliest opportunity.

To answer your question, you could probably disable them, but I don't think that would leave all that many options for usable ciphers. You should test this thoroughly.

0
Comments on this Answer
Comment made 15-Feb-2018 by Sabir Alvi 75

Can you please tell how to disable them and I will test it in my Test Lab?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

Add !RSA to your ciphers, so it should looks like:

TLSv1_2:!SSLv3:!RC4-SHA:!3DES:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:!RSA:@STRENGTH

And us Josh said, you will need to patch your system to mitigate a lot of vulnerabilities on your current version.

Regards

0
Comments on this Answer
Comment made 16-Feb-2018 by Sabir Alvi 75

It gives me an error - 01070311:3: Ciphers list '.....' for profile /Common/.... denies all clients

0
Comment made 16-Feb-2018 by Ilian Ivanov 517

https://support.f5.com/csp/article/K13163

Looks like in v11.2.1 you don`t have support for ECDHE Key Exchange.

So you can`t disable the RSA because it will limit all possible ciphers.

It`s highly recommended to upgrade your software :)

0
Comment made 16-Feb-2018 by Ilian Ivanov 517

Can you execute the following command in bash and paste the output:

tmm --clientciphers 'TLSv1_2:!SSLv3:!RC4-SHA:!3DES:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@STRENGTH'

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Sabir,

Please pay attention to this article;

https://support.f5.com/csp/article/K15194

0