NimbostratusGreetings,
I hope this makes sense, here goes:If you use this syntax, all of the ciphers using RSA KEYX will be removed from the cipher list.
tmm --clientciphers 'DEFAULT:!RSA'
Let say, you'd like to include this cipher for some reason, but only this one:
DES-CBC3-SHA
If you used the ! filter, you would be unable to add that cipher only back:
tmm --clientciphers 'DEFAULT:!RSA:DES-CBC3-SHA' | grep ' DES-CBC3-SHA'
So using the - filter, allows you to add only that cipher back, but keep the others filtered out:
tmm --clientciphers 'DEFAULT:-RSA:DES-CBC3-SHA' | grep ' DES-CBC3-SHA'
48: 10 DES-CBC3-SHA 168 TLS1 Native DES SHA RSA
49: 10 DES-CBC3-SHA 168 TLS1.1 Native DES SHA RSA
50: 10 DES-CBC3-SHA 168 TLS1.2 Native DES SHA RSA
51: 10 DES-CBC3-SHA 168 DTLS1 Native DES SHA RSA
52: 10 DES-CBC3-SHA 168 SSL3 Native DES SHA RSA
Hope this is helpful!
Kevin
NimbostratusHi, Thanks for the reply .
You said "If you used the ! filter, you would be unable to add that cipher only back:"
Here is where I am confused . What you mean by unable to add that cipher only back.
What I understood from other threads , If I use "tmm --clientciphers 'DEFAULT:!RSA'" ,It just print the DEFAULT list and filter RSA ,It does not remove it from the BOX .That means we can add it later
Thanks
Greetings,
You are correct, it doesn't remove the cipher from the BIG-IP system. Typically, when building filters in this manner, the admin is attempting to build a cipher string for use in the client or server SSL profile. So you could have multiple different virtual servers that reference different SSL profiles, allowing a different set of ciphers for clients to negotiate.
See 'Ciphers' in this article for more detail:
https://support.f5.com/csp/article/K14783
Hope this is helpful!
Kevin
NimbostratusHi,
ltm profile client-ssl test {
app-service none
cert digicert.crt
cert-key-chain {
digicert {
cert digicert.crt
chain gdigicertchain.crt
key digicert.key
}
}
chain gdigicertchain.crt
defaults-from clientssl
inherit-certkeychain false
key digicert.key
passphrase none
}
Now I decided to alter the DEFAULT for profile 'test',Just to remove 'DES-CBC3-SHA' ,the below profile will work ?
ltm profile client-ssl test {
app-service none
cert digicert.crt
cert-key-chain {
digicert {
cert digicert.crt
chain gdigicertchain.crt
key digicert.key
}
}
chain gdigicertchain.crt
**ciphers 'DEFAULT:!RSA:DES-CBC3-SHA'**
defaults-from clientssl
inherit-certkeychain false
key digicert.key
passphrase none
}
2.Let's say I used ' ciphers 'DEFAULT:!RSA' and later on decided to bring all RSA back , reverting the string from 'DEFAULT:!RSA' to 'ciphers 'DEFAULT' will help
Thanks
Greetings,
1) To just remove DES-CBC3-SHA, you would use: DEFAULT:!DES-CBC3-SHA
2) That is correct.
Hope this is helpful!
Kevin
NimbostratusHi,
what is the difference between
tmm --clientciphers 'DEFAULT'
openssl --clientciphers 'DEFAULT'
Do we need to play with openssl if we are interested only control plane traffic
Thanks
Greetings,
TMM's DEFAULT cipher list represent a smaller subset of F5's NATIVE cipher list. NATIVE refers to ciphers that can be hardware accelerated.OpenSSL would be used by the Configuration utility, Config synchronization and iControl REST which do exist within the control plane. To view the openssl cipher list, use:
openssl ciphers -v
Hope this is helpful!
KevinNimbostratusHi, It means we don't use ciphersuite from openssl in tmm .Only native cipher list can be used for a client profile ?
Thanks
Just to be completely thorough, this is true after version 12.0.0. There was a COMPAT stack coded in TMM prior to 12.0.0 that contained some OpenSSL ciphers.
https://support.f5.com/csp/article/K17373
Kevin