best practice for ssl ciphers

Question

Hi All:&nbsp;

&nbsp;

I send this post to ask you that the last week I have a auditory, an they tell me that I have &nbsp;

Low Strength Ciphers (&lt; 56-bit key).

And I need to change the

weak SSL ciphers.
&nbsp;

How can I change this option on my LTM 3900?&nbsp;

&nbsp;

Since now thanks alot.
&nbsp;

&nbsp;
&nbsp;
Synopsis&nbsp;The remote service supports the use of weak SSL ciphers.&nbsp;
List of Hosts&nbsp;&nbsp;&nbsp;&nbsp;

Plugin Output&nbsp;
Here is the list of weak SSL ciphers supported by the remote server :&nbsp;
&nbsp;Low Strength Ciphers (&lt; 56-bit key)
&nbsp;SSLv3
&nbsp;EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export 
&nbsp;EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export 
&nbsp;TLSv1
&nbsp;EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export 
&nbsp;EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export &nbsp;
&nbsp;The fields above are :&nbsp;
&nbsp;{OpenSSL ciphername}
&nbsp;Kx={key exchange}
&nbsp;Au={authentication}
&nbsp;Enc={symmetric encryption method}
&nbsp;Mac={message authentication code}
&nbsp;{export flag}
&nbsp;

&nbsp;

hooleylist · Answer

You can customize the allowed ciphers for a VS using this SOL 
&nbsp;  
&nbsp; sol7815: Configuring the cipher strength for SSL profiles 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7815.html 
&nbsp;  
&nbsp; And for the management GUI using this: 
&nbsp;  
&nbsp; sol6768: Restricting Configuration utility access to SSL clients that are 128 bits or higher 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6768.html 
&nbsp;  
&nbsp; Aaron

hooleylist · Answer

...&nbsp;

mcorvalan_57694 · Answer

Ok Aaron thanx alot for replying me asap. 
&nbsp; I think that the last option that u sent me it's gonna be usefully for me, because the problem that i found . 
&nbsp; is the IP 10.100.101.6 it's my managment interface an' not any virtual sever. &nbsp;

doug_24189 · Answer

And make sure you enable the option no SSLv2.

Forum Discussion

best practice for ssl ciphers

4 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Cipher Suite Practices and Pitfalls

AS3 Best Practice

F5 Certified Practice Exams

Cipher Suites Supported (12.1.5.3)

LTM Cipher rule