Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Custom cipher suite

Can you help me set it up on an F5 running 12.1.2 HF1. I am following the cipher suite that is stated on this guide.

Here's the one I would like to use

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

The DEFAULT cipher suite shows weak cipher suites.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Have you reviewed the SSL Everywhere Recommended Practices Guide? https://f5.com/Portals/1/Premium/Architectures/RA-SSL-Everywhere-deployment-guide.pdf

0
Comments on this Answer
Comment made 07-Feb-2018 by edmonaft 55

I've reviewed it. Just want to confirm validity of this document vs the current SSL recommendations as it was still published last 2015.

0
Comment made 07-Feb-2018 by Brian A. McHenry

The SSL Labs list of ciphers to include and the order of priority is certainly the most accurate and updated.

DEFAULT is set to the best balance of security and performance at the time of a given release. DEFAULT is updated with each release of TMOS. The Recommended Practices Guide covers how to customize the cipher string to meet updated standards as indicated by SSL Labs or other standards-setting bodies.

Please check the section "Fine-Tuning Data Protection" starting on page 8 on how to build a cipher string to create the list of ciphers in your original post.

0
Comment made 23-Feb-2018 by edmonaft 55

Based of the instruction, I see that it requires me to access F5 via SSH to enter this commands. I wonder if there's a way to do it via GUI? I am not too comfortable doing this via SSH.

0
Comment made 23-Feb-2018 by edmonaft 55

Also, the exact instruction looks to be vague. BTW, as a reference, my F5 is currently running under 12.1.2 HF2.

0
Comment made 23-Feb-2018 by edmonaft 55

BTW, I tried the one mentioned in the instruction stating:

The DEFAULT cipher string included in BIG-IP version 12.0 will yield a B grade but offers full hardware acceleration. To get that coveted A+ grade, an administrator would need to have a fairly restrictive cipher list. For example “!SSLv3:!DHE:ECDHE:RSA+HIGH” will get an A grade on SSL labs but would require every user to have a very recent browser.

Image Text

However, the result gave me a Grade C rating.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The only reason you would need the CLI is to perform the tmm --clientciphers command to detail what ciphers a string will create.

How about this one? You then just need to add this to the cipher string in the clientssl profile

tmm --clientciphers 'ECDHE_ECDSA:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AESGCM:-MD5:-SSLv3:-RC4:-3DES'

       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 1: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
 2: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1    Native  AES       SHA     ECDHE_ECDSA
 3: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 4: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
 5: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
 6: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
 7: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1    Native  AES       SHA     ECDHE_ECDSA
 8: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 9: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
10: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
11: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
12: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
13: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
14: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
15: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
16: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
17: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA
18: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA
19: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
20:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA
21:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  EDH/RSA
22:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  EDH/RSA
23:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES       SHA     EDH/RSA
24:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES       SHA     EDH/RSA
25:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA
26:    57  DHE-RSA-AES256-SHA               256  DTLS1   Native  AES       SHA     EDH/RSA
27:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  EDH/RSA
28:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES       SHA     EDH/RSA
29:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES       SHA     EDH/RSA
30:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES       SHA     EDH/RSA
31:    51  DHE-RSA-AES128-SHA               128  DTLS1   Native  AES       SHA     EDH/RSA

By the way, you didn't specify TLS version so this includes all TLS versions. If you add -TLSv1 at the end that would disallow TLS 1.0

Rgds N

0
Comments on this Answer
Comment made 23-Feb-2018 by edmonaft 55

I am only going to support TLS 1.1 (and 1.2) upwards.

0
Comment made 23-Feb-2018 by nathan 7257

tmm --clientciphers 'ECDHE_ECDSA:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AESGCM:-MD5:-SSLv3:-RC4:-3DES:-TLSv1'

That should to do that.

0
Comment made 23-Feb-2018 by edmonaft 55

BTW, this is the only option I have on the GUI

Image Text

0
Comment made 23-Feb-2018 by nathan 7257

Overwrite ciphers with ECDHE_ECDSA:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AES-GCM:-MD5:-SSLv3:-RC4:-3DES:-TLSv1

0
Comment made 25-Feb-2018 by edmonaft 55

Hi Nathan,

I tried the cipher suite you advised me to input and it gave me a grading of B.

Image Text

Here are the cipher suite details. I would want to avoid providing weak cipher suies. Image Text

Wonder if it is possible to have the cipher suites I listed above be translated into something similar to the ones listed above.

Appreciate your help on this.

0
Comment made 26-Feb-2018 by nathan 7257

to remove DHE then you can use the ! command to exclude ciphers e.g. ECDHE_ECDSA:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:RSA+AESGCM:-MD5:-SSLv3:-RC4:-3DES:-TLSv1. If this is to get an A or above on SSL Labs then can i refer you to the following DC post HowTo: Getting an awesome Qualys SSL-Labs rating... (Feb 2017 Update)

0
Comment made 26-Feb-2018 by edmonaft 55

Initially, we've tried using DEFAULT:!3DES:!DHE and got a grade of A- Image Text

However, we've seen in the report that there are still weak cipher suites present as shown here which we're hoping we can address by removing these weak cipher suites that is provided with the DEFAULT (for version 12.1.2 HF2). Image Text

0
Comment made 26-Feb-2018 by edmonaft 55

We opted using DEFAULT:!3DES:!DHE:!RSA and got an A Grade as well as removing all weak ciphers.

Image Text

Image Text

0
Comment made 26-Feb-2018 by nathan 7257

OK, great. thanks for feeding back.

0