Hi, F5 novice here. Due to the results of a recent pentest I need to disable 3DES and RC4 ciphers on our F5 Big IP running 12.1. I have been able to edit the existing ciphers and successfully disable one Cipher but when ever I add more than one cipher the additions get ignored. I believe this is a an issue with the syntax and the way I am adding them. I am did this first which worked for one cipher. DEFAULT:!DES-CBC3-SHA But when I add additional ciphers they get ignored. DEFAULT:!DES-CBC3-SHA!ECDHE-ECDSA-DES-CBC3-SHA I have a list of 9 ciphers I need to disable, Can anyone point me in the right direction as to how to add multiple SSL ciphers. Thanks !

refer the Kai post here link also link2 Hope this help

I think you could read these links. link 1 link 2 You can order the list to make it as you like, e.g: ciphers DEFAULT:RSA+AES-GCM:RSA+AES:@STRENGTH I hope it helps

Thanks for the info, I have already read these links. The Ciphers I need to disable are listed below. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK 112 Please bear in mind my F5 knowledge is limited.

Disable Specific SSL Ciphers on F5 Big IP

15 Replies

Snl
Cirrostratus
Sep 07, 2017
refer the Kai post here link also link2

Hope this help
pponte_266335
Altostratus
Sep 07, 2017
I think you could read these links.

link 1 link 2

You can order the list to make it as you like, e.g: ciphers DEFAULT:RSA+AES-GCM:RSA+AES:@STRENGTH

I hope it helps
- stephen_piskor_
  Nimbostratus
  Sep 07, 2017
  Thanks for the info, I have already read these links. The Ciphers I need to disable are listed below.
  
  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK 112
  
  Please bear in mind my F5 knowledge is limited.
- stephen_piskor_
  Nimbostratus
  Sep 07, 2017
  Ok I just added this..
  
  This has helped a great deal.
  
  DEFAULT:!DHE
- stephen_piskor_
  Nimbostratus
  Sep 07, 2017
  Even better..
  
  DEFAULT:!DHE:!3DES
  
  I now get an A- due to PFS being disabled.
pponte
Altostratus
Sep 07, 2017
I think you could read these links.

link 1 link 2

You can order the list to make it as you like, e.g: ciphers DEFAULT:RSA+AES-GCM:RSA+AES:@STRENGTH

I hope it helps
- stephen_piskor_
  Nimbostratus
  Sep 07, 2017
  Thanks for the info, I have already read these links. The Ciphers I need to disable are listed below.
  
  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK 112
  
  Please bear in mind my F5 knowledge is limited.
- stephen_piskor_
  Nimbostratus
  Sep 07, 2017
  Ok I just added this..
  
  This has helped a great deal.
  
  DEFAULT:!DHE
- stephen_piskor_
  Nimbostratus
  Sep 07, 2017
  Even better..
  
  DEFAULT:!DHE:!3DES
  
  I now get an A- due to PFS being disabled.
stephen_piskor_
Nimbostratus
Sep 07, 2017
All sorted.

I add this entire string in the client SSL profile Ciphers option. Thanks for all your help everyone.

QUALYS now reporting an A !

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4
- Snl
  Cirrostratus
  Sep 07, 2017
  good to know your issue resolved
Irfan_S_337899
Nimbostratus
May 23, 2018
Using the below Cipher Suite but still seeing the rating as "B". Any help would be highly appreciated.

Here is the CIpher :

!SSLv2:!EXPORT:!DHE:!3DES:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:!RSA+3DES:-MD5:-SSLv3:-RC4:

SSL LAB Output : Rating B

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK 128 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK 112 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 112

Forward Secrecy Weak key exchange WEAK DH public server param (Ys) reuse Yes ECDH public server param reuse Yes
Jason_Nance
Nimbostratus
May 24, 2018
This doesn't help you on 12.1 but note that in 13.x cipher rules and groups make managing these situations much easier.

https://devcentral.f5.com/articles/cipher-rules-and-groups-in-big-ip-v13-25200