Moinul_Rony
Sep 04, 2014Altostratus
How to disable CIPHER for and Disable TCP time stamp on F5 ?
Hi, We have just being chased by PCI Compliance about having vulnerabily that detected WEAK CIPHER support and TCP Timestamp being turned ON.
--Report say our application:
Negotiated with the following insecure cipher suites. SSLv3 ciphers:
Š SSL_RSA_WITH_RC4_128_SHA
TLS/SSL Server Supports Weak Cipher Algorithms
Solution:
Configure the server to disable support for weak ciphers.
For Apache web servers with mod_ssl, edit the Apache configuration file and change the
SSLCipherSuite line to read:
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
I have looked at some article and there are a few ways to do that. We are using DEFAULT Cipher in our SSL Client Profile so do we just change that to
DEFAULT:!SSLv3
or
Replace DEFALUT with their suggested CIPHER
ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Please advice.
With TCP time stamp we have disabled this from the Application servers but it looks like this is turned ON in F5 for High Performance.