Forum Discussion

Koalan's avatar
Koalan
Icon for Cirrus rankCirrus
Oct 01, 2019

Strong cipher suite

Hi we are testing a url on sslab test and the current setup on our f5 have these ciphers:

DEFAULT:!SSLv2:!SSLv3:!TLSv1:!RSA:!ECDHE-RSA-AES256-CBC-SHA:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4

but when we tested it on sslab test, it says:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (

0xc028
)  ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK

256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (

0xc027
)  ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK128

anyone knows how to address this?

2 Replies

  • Hi Koalan,

    tmm --clientciphers 'ECDHE+AES':

     0: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1   AES                 SHA     ECDHE_RSA
     1: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  AES                 SHA     ECDHE_RSA
     2: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES                 SHA     ECDHE_RSA
     3: 49171  ECDHE-RSA-AES128-CBC-SHA         128  DTLS1  AES                 SHA     ECDHE_RSA
     4: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  AES                 SHA256  ECDHE_RSA
     5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1   AES                 SHA     ECDHE_RSA
     6: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  AES                 SHA     ECDHE_RSA
     7: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  AES                 SHA     ECDHE_RSA
     8: 49172  ECDHE-RSA-AES256-CBC-SHA         256  DTLS1  AES                 SHA     ECDHE_RSA
     9: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  AES                 SHA384  ECDHE_RSA

    You can add this:

    !ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:

    or use that:

    DEFAULT:!SSLv2:!SSLv3:!TLSv1:!RSA:!ECDHE-RSA-DES-CBC3-SHA:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:!ECDHE+AES:ECDHE+AES-GCM:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4