We have SSLv3 disabled in DataPower. I ran sslscan
to check what all cipher suites can be used currently during SSL handshake.
In the sslscan output, I have found out that below cipher suites are being accepted.
TLSv1 256 bits AES256-SHA
TLSv1 128 bits AES128-SHA
TLSv1 168 bits DES-CBC3-SHA
TLSv1 128 bits RC4-SHA
Preferred Server Cipher: TLSv1 256 bits AES256-SHA
I then, disabled TLS1.0 on DataPower (server) and ran the sslscan
again. The result was not what I was expecting.
All the ciphersuites including the ones which were accepted during handshake over TLS1.0 are being rejected.
How would I come to know, which cipher suits my server will accept if I disable TLS1.0?
Best Answer
Your output only references TLS 1.0, and disabling it refuses those disabled TLS 1.0 choices as it should. Refer to the DataPower references and documentation to support TLS 1.1 and TLS 1.2 as well as configuring cipher suites. Start with checking your firmware version and properly upgrading to better support the latest TLS configurations.
Here is a reference for DataPower supporting TSL 1.1 and TLS 1.2 by default in firmware version 6. Your current version may not support anything but TLS 1.0, and not allowing yet to configure TLS 1.1, nor TLS 1.2. http://www-01.ibm.com/support/docview.wss?uid=swg21578730 references specific crypto configurations to get granular enough to resolve issues within each TLS version, such as beast.
Once upgraded and configured re-run sslscan, or alternatives if you would like to compare against sslscan such as testssl.sh.