Cyril
Jan 23, 2014Nimbostratus
Cipher suit
Hi All,
Please let me know the strongest cipher suit that can be configured in the LTM to over come all the vulnerabilities.
Thanks in advance.
-Cyril
Hi All,
Please let me know the strongest cipher suit that can be configured in the LTM to over come all the vulnerabilities.
Thanks in advance.
-Cyril
Hi Cyril, Hopefully these solutions can offer you some guidance:
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html
http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html
Hi Kevin,
Thanks for the update.
I want to mitigate RC4 related attacks, BEAST attack, LUCKY 13 and Forward Secrecy issue. Is there any particular cipher suit recommended to fix these issues?
Thanks, -Cyril
I want to mitigate RC4 related attacks, BEAST attack, LUCKY 13 and Forward Secrecy issue. Is there any particular cipher suit recommended to fix these issues?
sol13400: SSL 3.0/TLS 1.0 BEAST vulnerability CVE-2011-3389 and TLS protocol vulnerability CVE-2012-1870
http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13400.html
How about using this cipher suit -
EDH+AESGCM:EDH+AES:AESGCM:AES:-SSLv3:EDH+AES:EDH+3DES:AES:RC4:3DES:!ADH:!ECDH:!DSS:!MD5:!PSK:!eNULL:!aNULL:!SRP:!EXP:!DES
Can I use this or not, please guide me.
you can use tmm --clientciphers to check.
e.g.
[root@ve11a:Active:In Sync] config tmm --clientciphers 'EDH+AESGCM:EDH+AES:AESGCM:AES:-SSLv3:EDH+AES:EDH+3DES:AES:RC4:3DES:!ADH:!ECDH:!DSS:!MD5:!PSK:!eNULL:!aNULL:!SRP:!EXP:!DES'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA
1: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA
2: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA
3: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA
4: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA
5: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA
6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
7: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
8: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
9: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
10: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
11: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
12: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
13: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
14: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
15: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
16: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
17: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
18: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
19: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
20: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
21: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
22: 51 DHE-RSA-AES128-SHA 128 SSL3 Native AES SHA EDH/RSA
23: 57 DHE-RSA-AES256-SHA 256 SSL3 Native AES SHA EDH/RSA
24: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA
25: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA
26: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA
27: 22 DHE-RSA-DES-CBC3-SHA 192 SSL3 Native DES SHA EDH/RSA
28: 47 AES128-SHA 128 SSL3 Native AES SHA RSA
29: 53 AES256-SHA 256 SSL3 Native AES SHA RSA
30: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA
31: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA
32: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA
33: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA
34: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA
35: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA
36: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA
37: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
38: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA
39: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA
40: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
41: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA