Disable ECDHE Cipher Suite for Server Side SSL Profile

Question

Hi,&nbsp;
We have deployed Imperva WAF in transparent bridge mode between our F5 load balancers and Web Servers.  In order to perform SSL Decryption, we need to disable certain Cipher Suites including ECHDE and EDH.  I have configured the following below but am still getting warnings on the WAF that cipher ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA**  cannot be decrypted.  
&nbsp;
Current SSL Server Profile: ** DEFAULT:!SSLv3:!ECDHE:!EDH **&nbsp;
What else is missing in order to disable cipher ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA **  ?&nbsp;
Thanks for your help!&nbsp;

jg · Answer

You mis-typed "ECDHE" in your SSL Server Profile.&nbsp;

jg · Answer

On v11.6.1, I get this:
 tmm --serverciphers 'DEFAULT:!SSLv3:!ECDHE:!EDH'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM  SHA384  RSA       
 1:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM  SHA256  RSA       
 2:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA       
 3:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA       
 4:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA       
 5:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA       
 6:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA       
 7:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA       
 8:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA       
 9:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA       
10:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA       
11:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA       
12:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA       
13:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA       
14:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA       
15:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA

which does not include ECDHE at all.
For testing, you may specify just one "NONE:AES128-SHA256" and see if you still get the same message.

Forum Discussion

Disable ECDHE Cipher Suite for Server Side SSL Profile

2 Replies

Recent Discussions

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

Related Content

Disabling Weak Ciphers

Disabling Ciphers

Translating SSL Ciphers names into the labels used in the profiles.

Cipher suite mismatch advertisement/warning

Python script to print report of VIPs, corresponding profiles, SSL profile cipher strings and full cipher list