Weak cipher used with SSL profiles for F5




Certain ciphers are now considered weak. Indeni will alert if any SSL profiles are set to use them.

Remediation Steps

Follow the knowledge articles listed in the affected profiles above. Since F5 devices present the attributes in alphabetical order (to the other side), be careful when adding a property.

How does this work?

This alert logs into the F5 and retrieves the cipher strings being used by the management interface and scans for weak ciphers.

Why is this important?

Weak ciphers could allow for man in the middle attacks. Administrators would ideally want to keep track of their cipher string configurations in order to protect their clients against known attack vectors. This alert verifies that the management interface does not use any weak ciphers.

Without Indeni how would you find this?

Log into the device through SSH. Enter TMSH and issue the command "cd /;list ltm profile client-ssl recursive ciphers renegotiation renegotiate-size" to retrieve a list of all SSL Client profiles and their ciphers. Then for each cipher string, issue the command "tmm --clientciphers ". Example: "tmm --clientciphers '!LOW:!SSLv3:!MD5:!RC4:!DHE:!EXPORT:ECDHE+AES-GCM:ECDHE:RSA+AES:RSA+3DES'"

View Source Code