Forum Discussion

mc1903_137193's avatar
mc1903_137193
Icon for Nimbostratus rankNimbostratus
Sep 25, 2015

Client SSL Profile Cipher...Disable DES-CBC3-SHA.

One of my sites has just be penetration tested and a low risk was identified.

The following weak ciphers were supported

Testing SSL server mysite.fqdn on port 443 

Supported Server Cipher(s): 

Accepted TLSv1 256 bits AES256-SHA 
Accepted TLSv1 128 bits AES128-SHA 
**Accepted TLSv1 168 bits DES-CBC3-SHA** 

Prefered Server Cipher(s): TLSv1 256 bits AES256-SHA

It is the TLSv1 168 bits DES-CBC3-SHA that they are not happy about, but I am not sure how to disable it in the SSL Client profile. They also suggest disabling any ciphers using 128 bit keys - so I guess TLSv1 128 bits AES128-SH needs to go as well.

The current setting is 
TLSv1_1:TLSv1_2:ECDHE+AES-GCM:NATIVE:!ADH:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!SSLv3:!SSLv2:@STRENGTH

Is there a document that clearly shows how to achieve both - I struggle with these LTM's at the best of times. 😞

I am running BIG-IP v11.6.0 (Build 5.0.429) if that has a bearing.

Any help offered will be appreciated.

Thanks, Martin

  • You can disable in the client-ssl profile specific to the VIP or at the parent client-ssl profile by adding "!DES-CBC3-SHA" at the Ciphers section. i.e., "DEFAULT;!DES-CBC3-SHA". Then re-scan to confirm it's disabled or via openssl "openssl s_client -cipher 'DES-CBC3-SHA' -connect %IP%:443"

     

    Hope that helps.

     

    • mc1903_137193's avatar
      mc1903_137193
      Icon for Nimbostratus rankNimbostratus
      Thank you Mel. I have just tried your suggestion and I get the following error when I press update: 01070312:3: Invalid keyword 'des-cbc3-sha' in ciphers list for profile /Common/mysite-fqdn_client_ssl_profile Any thoughts what I have done wrong? Martin
  • MVA's avatar
    MVA
    Icon for Nimbostratus rankNimbostratus

    You can disable in the client-ssl profile specific to the VIP or at the parent client-ssl profile by adding "!DES-CBC3-SHA" at the Ciphers section. i.e., "DEFAULT;!DES-CBC3-SHA". Then re-scan to confirm it's disabled or via openssl "openssl s_client -cipher 'DES-CBC3-SHA' -connect %IP%:443"

     

    Hope that helps.

     

    • mc1903_137193's avatar
      mc1903_137193
      Icon for Nimbostratus rankNimbostratus
      Thank you Mel. I have just tried your suggestion and I get the following error when I press update: 01070312:3: Invalid keyword 'des-cbc3-sha' in ciphers list for profile /Common/mysite-fqdn_client_ssl_profile Any thoughts what I have done wrong? Martin
  • This will disable 3DES and prioritize PFS and GCM.

    '!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'
    . Looks like you are wanting to also disable TLSv1? If that's the case add !TLSv1, i.e.
    '!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'
    Last thing, if you still want to support IE on XP 3DES is the only "secure" supported cipher left.

    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      tmm --clientciphers '!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES' produces these ciphers and order. ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 6: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 8: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 9: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA 10: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 11: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 12: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 13: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 14: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 15: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 16: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 17: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Also, if you really want to disable AES128-SHA like you mentioned above you can add a "!AES128-SHA" to the string.
    • mc1903_137193's avatar
      mc1903_137193
      Icon for Nimbostratus rankNimbostratus
      Thankyou Brad. That did it as far as I can see with the test site I use (which is different to the penetration testing company). I need to get SSL Scan installed onto a Linux machine to do a representative test.
  • This will disable 3DES and prioritize PFS and GCM.

    '!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'
    . Looks like you are wanting to also disable TLSv1? If that's the case add !TLSv1, i.e.
    '!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES'
    Last thing, if you still want to support IE on XP 3DES is the only "secure" supported cipher left.

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      tmm --clientciphers '!EXPORT:!DH:!MD5:!SSLv3:!TLSv1:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES' produces these ciphers and order. ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 6: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 8: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 9: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA 10: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 11: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 12: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 13: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 14: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 15: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 16: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 17: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Also, if you really want to disable AES128-SHA like you mentioned above you can add a "!AES128-SHA" to the string.
    • mc1903_137193's avatar
      mc1903_137193
      Icon for Nimbostratus rankNimbostratus
      Thankyou Brad. That did it as far as I can see with the test site I use (which is different to the penetration testing company). I need to get SSL Scan installed onto a Linux machine to do a representative test.
  • Ensure the cipher section has "DEFAULT:!DES-CBC3-SHA", no quotes. Note, my original comment has semi-colon and it should be colon. Try that.

     

    • mc1903_137193's avatar
      mc1903_137193
      Icon for Nimbostratus rankNimbostratus
      Thanks again Mel. That was accepted this time, but when I retested my site the SSL Labs test rating dropped from an A+ (100/97/100/90) to a B (100/70/80/90).
  • MVA's avatar
    MVA
    Icon for Nimbostratus rankNimbostratus

    Ensure the cipher section has "DEFAULT:!DES-CBC3-SHA", no quotes. Note, my original comment has semi-colon and it should be colon. Try that.

     

    • mc1903_137193's avatar
      mc1903_137193
      Icon for Nimbostratus rankNimbostratus
      Thanks again Mel. That was accepted this time, but when I retested my site the SSL Labs test rating dropped from an A+ (100/97/100/90) to a B (100/70/80/90).