Disabling Weak Ciphers
Hi Experts,
We've been asked to disable the weak ciphers in F5 (12.1.2). Would like to seek help in getting the relevant ciphers disabled.
Currently, it's configured as DEFAULT in SSL profiles. Shall I proceed with this Cipher list DEFAULT:!DHE:!TLSV1_TLSV1_1 ...? Below are the alerts
PROTOCOL CIPHER NAME GROUP KEY-SIZE FORWARD-SECRET CLASSICAL-STRENGTH QUANTUM-STRENGTH
TLSv1 DHE-RSA-AES256-SHA DHE 1024 yes 80 low
TLSv1 DHE-RSA-AES128-SHA DHE 1024 yes 80 low
TLSv1 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low
TLSv1.1 DHE-RSA-AES256-SHA DHE 1024 yes 80 low
TLSv1.1 DHE-RSA-AES128-SHA DHE 1024 yes 80 low
TLSv1.1 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES256-GCM-SHA384 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES128-GCM-SHA256 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES256-SHA256 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES128-SHA256 DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES256-SHA DHE 1024 yes 80 low
TLSv1.2 DHE-RSA-AES128-SHA DHE 1024 yes 80 low
TLSv1.2 EDH-RSA-DES-CBC3-SHA DHE 1024 yes 80 low#
I'm running v15.1.8 and the following matches.
DEFAULT:!TLSv1:!TLSv1_1:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256
I built it starting from DEFAULT:!TLSv1:!TLSv1_1 and excluding explicitly the suites from your comment that still were in the list. (I noticed there was 3 repetitions; also EDH-RSA-DES-CBC3-SHA did not show up in cipher rule so there was no need to specify it)