What Cipher to be used incase of POODLE/BEAST/SWEET32

Question

Am working on Big IP 11.5.x Version , where am asked to fix the vulnerabilities on many of the below attacks.

TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)

TLS/SSL Server Does Not Support Any Strong Cipher Algorithms

TLS/SSL Server is enabling the BEAST attack

TLS/SSL Server is enabling the POODLE attack

TLS/SSL Server Supports 3DES Cipher Suite

TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)

TLS/SSL Server Supports SSLv3

TLS/SSL Server Supports The Use of Static Key Ciphers

Untrusted TLS/SSL server X.509 certificate

Here's what I am currently using - !RC4:!3DES:!RSA+AES:!SSLv2:!SSLv3:!TLSv1_1:ECDHE+AES-GCM

However, this isn't stopping the above attacks. Could somebody tell what cipher suit could be used ?

samir · Answer

Upgrade the load balancer to mitigate major attack types.

All the questions can be solved except "Untrusted TLS/SSL server X.509 certificate".

Below ciphers will help to achieve good SSL Rating in your version.

!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:-MD5:-SSLv3:-RC4:!3DES

Try and let us know.

Forum Discussion