NimbostratusHi,
I need to disable 3DES as a part of SWEET32 vulnerability. I have gone through few articles and they mention modifying the SSL client profile and commenting out 3DES. My question is -
Thanks, Sean
NacreousHave you seen these articles?
https://support.f5.com/csp/article/K13405 https://support.f5.com/csp/article/K17491 https://support.f5.com/csp/article/K31320003
For the management console you need to modify the httpd cipher suite
list sys httpd ssl-ciphersuite
CumulonimbusHi,
You don't use a client ssl for admin access. you have to use tmsh in order to disable ciphers on admin access.
First of if you want to check cipher used, enter this command:
list sys httpd ssl-ciphersuitesys httpd {
ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA
}
So if you want to disable 3DES you can just add
:!DES:!DESSo to modify SSL-Ciphersuite follow this procedure:
tmsh modify sys httpd ssl-ciphersuite 'ECDHE-RSA-AES128-GCM-SHA256:....:!DES:!DES'
tmsh save sys config
bigstart restart httpd
Keep me in touch.
regards
Nimbostratushello, I try this but not solut problem
NimbostratusI've just had a scan report for this on my F5's.
So this will modify the cipher suite for admin only?
For vServers i need to maintain the multi-suite available due to some application owners not updating their apps for years and actually can't upgrade some. We're proxying between suites for some services (false security imho but i do what i'm told)
NimbostratusAll sorted thankyou for this info