TLS 1.2 - block specific cipher suite on WAN

Question

Hello, 
 we use a XG430 - is there any way to block the cipher suite 
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
 on wan for a webserver keeping only TLS 1.2 with 
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
 for external connections? 
 We need TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for internal connections but have problems with external users who are blocked on webservers using this cipher suite because its classified as week. 
 I tried with the SSL/TLS inspection rules but dont find any config to block this cipher suite for external connections. 
 
 Thank you and best regards Thomas

LuCar Toni · Answer

So - There are multiple answers to this: CBC is not "weak" in terms of already hacked. Likely you got an external tool using "Weak". There are link describing what is going on: https://success.qualys.com/discussions/s/question/0D52L00006fVM4vSAG/inconsistent-results-on-ssl-labs 
 SFOS cannot be used for External to Internal Connections. This is under consideration for the future. 
 The WAF (Reverse Proxy) could do this, as we accept the connection here.

TLS 1.2 - block specific cipher suite on WAN

Top Replies