Follow

How To: Disable / Enable specific SSL cipher suites

Description

The article clarifies what needs to be done, to disable/enable specific TLS ciphers on Front-end or Back-end SSL profile. 

For example you would like to set the cipher sets  to be PCI DSS compliant. 

  • I want to change the TLS/SSL cipher suite
  • SSL/TLS
  • Cipher
  • Modification
  • Front-end/Back-end TLS/SSL profile

Environment

  • WAF Proxy
  • DDOS Proxy 
  • F5 Portal 
  • SSL/TLS Profiles

Procedure

   1. Go to sslabs.com enter your domain name in the search field and click submit. See the screenshot below for the reference: 

sslarticle.png

 

   2. Make a note (copy) of the available cipher sets that are supported by your domain/proxy:

sslarticle2.png

 3. Determine which supported cipher sets you would like to disable. 

 4. Translate the desire cipher sets from IANA format to OpenSSL format by using this table: Q&A: What are the SSL ciphers that are supported in Silverline?

  • The format in the left column is what needs to be submitted in the SSL-profile: OpenSSL Suite (Silverline)
  • If you cannot find your cipher set to disable in the table, let the F5 SOC Team know about it in a ticket. The SOC will be able to process your request only if the ciphers are translated to the correct format.

 5. In the Silverline Portal, navigate to Config > Proxy & App Configuration > SSL Management

6. Edit the Front End or Back End Profile that you want

7. Add a new line inside of the SSL-profile -- see red boxed area in image below

  • To add a cipher: add a line that contains the OpenSSL name of the cipher-suite
  • To remove a specific cipher: prepend its OpenSSL-name, with a "!SSL_Cipher_Example.png

Example

1. You decided to disable the 2 cipher sets below:

sslarticle3.png

2. Find the counterpart in this table: Q&A: What are the SSL ciphers that are supported in Silverline?

3. You translate:

  • TLS_RSA_WITH_AES_128_CBC_SHA -> AES128-SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256 -> AES128-SHA256

4. You edit the SSL Profile and add new lines with:

!AES128-SHA
!AES128-SHA256

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request