Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

How to disable weak cipher from Client SSL Profile. (TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x33))

Hi Folks,

We are running BIG-IP LTM 12.1.1. We have already disabled the weak cipher from the Client SSL Profile but still getting Weak Cipher Qualys SSL-Labs rating.

Currently we are having following values in the Client SSL Profile : "DEFAULT:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DHE-RSA-DES-CBC3-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256"

But when adding the value ":!DHE-RSA-DES-CBC3-SHA" which appears in the PT report it give us an error.

Please advise how we can disable it from our Client SSl Profile.

Thanks

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Not sure if this answers your question, but if you seek to score as high as possible on ssl-labs, you should use these ciphers:

ecdhe:rsa:!sslv3:!rc4:!exp:!des:!3des

It will get you an "A" score.

Regards,

Morten

0