Forum Discussion

Moinul_Rony's avatar
Moinul_Rony
Icon for Altostratus rankAltostratus
Sep 04, 2014

How to disable CIPHER for and Disable TCP time stamp on F5 ?

Hi, We have just being chased by PCI Compliance about having vulnerabily that detected WEAK CIPHER support and TCP Timestamp being turned ON.

--Report say our application:
Negotiated with the following insecure cipher suites. SSLv3 ciphers: 
Š SSL_RSA_WITH_RC4_128_SHA
TLS/SSL Server Supports Weak Cipher Algorithms
Solution:
Configure the server to disable support for weak ciphers.

For Apache web servers with mod_ssl, edit the Apache configuration file and change the 
SSLCipherSuite line to read:
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

I have looked at some article and there are a few ways to do that. We are using DEFAULT Cipher in our SSL Client Profile so do we just change that to

DEFAULT:!SSLv3

or

Replace DEFALUT with their suggested CIPHER
ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Please advice.

With TCP time stamp we have disabled this from the Application servers but it looks like this is turned ON in F5 for High Performance.

17 Replies

  • i normally see people using cipher string from this sol if there is no special requirement.

     

    sol13171: Configuring the cipher strength for SSL profiles (11.x)

     

    http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html

     

    for tcp timestamp, is it this one?

     

    TCP timestamp response

     

    http://www.rapid7.com/db/vulnerabilities/generic-tcp-timestamp

     

    sol8072: Obtaining uptime information from TCP timestamps

     

    http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8072.html

     

    • Moinul_Rony's avatar
      Moinul_Rony
      Icon for Altostratus rankAltostratus
      Thanks, on another point PCI scan pointed out absense of "Forward Secrecy with the reference browsers". Can this be implemented/enforced via F5?
    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      dh is natively supported in 11.2.1 Diffie-Hellman SSL key exchange cipher The Diffie-Hellman SSL key exchange cipher, which provides perfect forward secrecy (PFS), is now included natively. This provides better performance for configurations using Diffie-Hellman, especially on physical platforms that have hardware SSL acceleration. Release Note: BIG-IP LTM and TMOS 11.2.1 http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-2-1.html
    • Moinul_Rony's avatar
      Moinul_Rony
      Icon for Altostratus rankAltostratus
      Unfortunately we are using 11.2.0. Any chance to enforce DH ?
  • i normally see people using cipher string from this sol if there is no special requirement.

     

    sol13171: Configuring the cipher strength for SSL profiles (11.x)

     

    http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html

     

    for tcp timestamp, is it this one?

     

    TCP timestamp response

     

    http://www.rapid7.com/db/vulnerabilities/generic-tcp-timestamp

     

    sol8072: Obtaining uptime information from TCP timestamps

     

    http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8072.html

     

    • Moinul_Rony's avatar
      Moinul_Rony
      Icon for Altostratus rankAltostratus
      Thanks, on another point PCI scan pointed out absense of "Forward Secrecy with the reference browsers". Can this be implemented/enforced via F5?
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      dh is natively supported in 11.2.1 Diffie-Hellman SSL key exchange cipher The Diffie-Hellman SSL key exchange cipher, which provides perfect forward secrecy (PFS), is now included natively. This provides better performance for configurations using Diffie-Hellman, especially on physical platforms that have hardware SSL acceleration. Release Note: BIG-IP LTM and TMOS 11.2.1 http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-2-1.html
    • Moinul_Rony's avatar
      Moinul_Rony
      Icon for Altostratus rankAltostratus
      Unfortunately we are using 11.2.0. Any chance to enforce DH ?
  • Security through obscurity...

     

    Anyway it looks like they added the option to disable this. In version 11.4.0 and up they seperated window scaling from timestamp for the high performance options in the TCP Profile.

     

    See http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7559.html

     

    Still not recomended to disable, but if you cannot accept the risk with PCI at least you have the option. Is this coming up in a formal audit, or just a security scan? I don't think PCI strictly states this option must be off, and thus it is open to each auditor/penetration test to decide. I'd push back on them, and use sol8072 above as suporting evidence.

     

    • mimlo_61970's avatar
      mimlo_61970
      Icon for Cumulonimbus rankCumulonimbus
      Also, find out what ciphers they are considering weak. RC4 with TLS1.1 and above seems to be highly out of favor, but the last time I asked support about it they could not disable RC4 for just TLS1.1 and above, you had to disable it completely. You can go to ssllabs.com and put in your website and get their assessment of it with some recomendations.
  • After lots of trials and error the following strings works for me. Citrix web interface though worked with other strings but Citrix Receiver was taking tooo long to "negotiation capabilities" ; with below string - everything is within acceptable limits..

     

    TLSv1_2:TLSv1_1:TLSv1:@STRENGTH:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH