Forum Discussion

RayThomsen_7557's avatar
RayThomsen_7557
Icon for Nimbostratus rankNimbostratus
Jan 13, 2015

SSL Profile cipher elimination

A customer reported having used a Nessus scan to detect "vulnerable" ciphers being allowed on their virtual. They requested I restrict these ciphers:

 

EXP-DES-CBC-SHA; EXP-RC2-CBC-MD5; EXP-RC4-MD5; DES-CBC-SHA; RC4-MD5; RC4-SHA; RC4-SHA

 

I attempted to do this by adding this statement to the cipher field of the SSL profile:

 

DEFAULT:!SSLv3:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!DES-CBC-SHA:!RC4-MD5:!RC4-SHA

 

However, I recieved an error of:

 

Invalid keyword 'cipher_name' in ciphers list for profile /partition_name/profile_name

 

for five of the six ciphers, only RC4-SHA was allowed. How do I restrict these other ciphers?

 

application delivery
LTM

6 Replies

Sort By
  • RayThomsen_7557's avatar
    RayThomsen_7557
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2015
    By the way, this is in version 11.4.1 Build 651.0 Hotfix HF5. Okay, looking about I see that DES-CBC-SHA and EXP-DES-CBC-SHA are included in the DES group. But apparently you can't restrict the ciphers in that group individually?
  • RayThomsen_7557's avatar
    RayThomsen_7557
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2015
    It looks like I can get DES-CBC-SHA and EXP-DES-CBC-SHA by excluding the DES group: tmm --clientciphers DES ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 9 DES-CBC-SHA 64 SSL3 Native DES SHA RSA 1: 9 DES-CBC-SHA 64 TLS1 Native DES SHA RSA 2: 9 DES-CBC-SHA 64 TLS1.1 Native DES SHA RSA 3: 9 DES-CBC-SHA 64 DTLS1 Native DES SHA RSA 4: 98 EXP1024-DES-CBC-SHA 56 SSL3 Native DES SHA RSA 5: 98 EXP1024-DES-CBC-SHA 56 TLS1 Native DES SHA RSA 6: 98 EXP1024-DES-CBC-SHA 56 DTLS1 Native DES SHA RSA 7: 8 EXP-DES-CBC-SHA 40 SSL3 Native DES SHA RSA 8: 8 EXP-DES-CBC-SHA 40 TLS1 Native DES SHA RSA 9: 8 EXP-DES-CBC-SHA 40 DTLS1 Native DES SHA RSA 10: 21 DHE-RSA-DES-CBC-SHA 64 SSL3 Native DES SHA EDH/RSA 11: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA 12: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA 13: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA And the RC4-MD5 and EXP-RC4-MD5 by excluding the MD5 group: tmm --clientciphers MD5 ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA 1: 4 RC4-MD5 128 TLS1 Native RC4 MD5 RSA 2: 4 RC4-MD5 128 TLS1.1 Native RC4 MD5 RSA 3: 4 RC4-MD5 128 TLS1.2 Native RC4 MD5 RSA 4: 3 EXP-RC4-MD5 40 SSL3 Native RC4 MD5 RSA 5: 3 EXP-RC4-MD5 40 TLS1 Native RC4 MD5 RSA And the cipher field took the exclusion of RC4-SHA, so all that's left is to figure out how to exclude EXP-RC2-CBC-MD5.
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Jan 13, 2015
      DEFAULT:!SSLv3:!EXPORT:!MD5:!DES:!RC4 just saw you didn't want RC4 either.
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Jan 13, 2015
      DEFAULT:!SSLv3:!EXPORT:!MD5:!DES:!RC4 just saw you didn't want RC4 either.