Forum Discussion
Greetings,
I hope this makes sense, here goes:If you use this syntax, all of the ciphers using RSA KEYX will be removed from the cipher list.
tmm --clientciphers 'DEFAULT:!RSA'
Let say, you'd like to include this cipher for some reason, but only this one:
DES-CBC3-SHA
If you used the ! filter, you would be unable to add that cipher only back:
tmm --clientciphers 'DEFAULT:!RSA:DES-CBC3-SHA' | grep ' DES-CBC3-SHA'
So using the - filter, allows you to add only that cipher back, but keep the others filtered out:
tmm --clientciphers 'DEFAULT:-RSA:DES-CBC3-SHA' | grep ' DES-CBC3-SHA'
48: 10 DES-CBC3-SHA 168 TLS1 Native DES SHA RSA
49: 10 DES-CBC3-SHA 168 TLS1.1 Native DES SHA RSA
50: 10 DES-CBC3-SHA 168 TLS1.2 Native DES SHA RSA
51: 10 DES-CBC3-SHA 168 DTLS1 Native DES SHA RSA
52: 10 DES-CBC3-SHA 168 SSL3 Native DES SHA RSA
Hope this is helpful!
KevinGreetings,
You are correct, it doesn't remove the cipher from the BIG-IP system. Typically, when building filters in this manner, the admin is attempting to build a cipher string for use in the client or server SSL profile. So you could have multiple different virtual servers that reference different SSL profiles, allowing a different set of ciphers for clients to negotiate.
See 'Ciphers' in this article for more detail:
https://support.f5.com/csp/article/K14783
Hope this is helpful!
Kevin