Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Does BIG-IP Version 12.1.3.5 Point Release 5 support 3DES and SSLv3

Security scanning is stating the Bigip 3600 is supporting 3DES and SSLv3. I do not see this option in the cipher list. I see it defined when creating default https monitor; cipherlist DEFAULT:+SHA:+3DES:+kEDH Admitting am a bit confused. Any thoughts? Thanks. Dave

0
Rate this Question
Comments on this Question
Comment made 1 month ago by Dave McCauley 256

Are they saying a VIP on the device is configured for it, or the management GUI? Perhaps it's a generic message saying that the platform supports SSLv3 but not necessarily that you have it enabled?

Running tmm --clientciphers 'SSLv3' on a v13.1 VE shows that I could enable 20 different SSLv3 ciphers, but by default, the ssl cipher string doesn't have them listed.

If you have a non-custom cipher string in the ssl profiles in use, run that command with them in between the quotes to see what ciphers are configured.

0
Comment made 1 month ago by daveferrier 55

Hi Dave. Thanks for the reply.

Actually they are pointing to a vip ip. and also complaining about the physical ip of the bigip.

I ran the tmm --clientciphers 'SSLv3' and tmm --clientciphers '3DES' and it came back with a similar response.

All of the ssl profiles in use are defined to use default settings.

I am going to try to negate the weak ciphers in specific profiles.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Dave already answered this in part, but you can see all the supported ciphers here:

https://support.f5.com/csp/article/K13163

All default ciphers are listed here:

https://support.f5.com/csp/article/K13156

DES and SSLv3 are supported, but SSLv3 has been disabled by default for quite some time:

https://support.f5.com/csp/article/K15022

0