Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Setting ciphers manually in BIG IP

I have BIG IP v 11.6.1 and need to manual set the ciphers. Here is the list of ciphers, in order, of what I want. I have been unable to make this happen. Can someone assist?

Cipher | Suite (hex value) | Bits | Protocols | Key Exchange | Authentication | Cipher | MAC

ECDHE-RSA-AES256-GCM-SHA384 (0xc030) 256 TLS1.2 ECDHE RSA AES-GCM SHA384

ECDHE-ECDSA-AES256-GCM-SHA384 (0xc02c) 256 TLS1.2 ECDHE ECDSA AES-GCM SHA384

ECDH-RSA-AES256-GCM-SHA384 (0xc032) 256 TLS1.2 ECDH RSA AES-GCM SHA384

ECDH-ECDSA-AES256-GCM-SHA384 (0xc02e) 256 TLS1.2 ECDH ECDSA AES-GCM SHA384

ECDHE-RSA-AES256-SHA384 (0xc028) 256 TLS1.2 ECDHE RSA AES SHA384

ECDHE-ECDSA-AES256-SHA384 (0xc024) 256 TLS1.2 ECDHE ECDSA AES SHA384

DHE-DSS-AES256-GCM-SHA384 (0xa3) 256 TLS1.2 DHE DSS AES-GCM SHA384

DHE-RSA-AES256-GCM-SHA384 (0x9f) 256 TLS1.2 EDH RSA AES-GCM SHA384

ECDH-RSA-AES256-SHA384 (0xc02a) 256 TLS1.2 ECDH RSA AES SHA384

ECDH-ECDSA-AES256-SHA384 (0xc026) 256 TLS1.2 ECDH ECDSA AES SHA384

AES256-GCM-SHA384 (0x9d) 256 TLS1.2 RSA RSA AES-GCM SHA384

DHE-RSA-AES256-SHA256 (0x6b) 256 TLS1.2 EDH RSA AES SHA256

DHE-DSS-AES256-SHA256 (0x6a) 256 TLS1.2 DHE DSS AES SHA256

AES256-SHA256 (0x3d) 256 TLS1.2 RSA RSA AES SHA256

ECDHE-RSA-AES256-CBC-SHA (0xc014) 256 TLS1, TLS1.1, TLS1.2 ECDHE RSA AES SHA

ECDHE-ECDSA-AES256-SHA (0xc00a) 256 TLS1, TLS1.1, TLS1.2 ECDHE ECDSA AES SHA

ECDH-RSA-AES256-SHA (0xc00f) 256 TLS1, TLS1.1, TLS1.2 ECDH RSA AES SHA

ECDH-ECDSA-AES256-SHA (0xc005) 256 TLS1, TLS1.1, TLS1.2 ECDH ECDSA AES SHA

DHE-RSA-AES256-SHA (0x39) 256 SSL3, TLS1, TLS1.1, TLS1.2, DTLS1 EDH RSA AES SHA

DHE-DSS-AES256-SHA (0x38) 256 SSL3, TLS1, TLS1.1, TLS1.2, DTLS1 DHE DSS AES SHA

AES256-SHA (0x35) 256 SSL3, TLS1, TLS1.1, TLS1.2, DTLS1 RSA RSA AES SHA

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

F5 article on configuring ciphers: https://support.f5.com/csp/article/K13171

See the result of a string on a device via CLI bash with this command:

tmm --clientciphers '<cipher string>'

Example:

tmm --clientciphers 'NATIVE:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:!SSLv3:!TLSv1:!EXPORT:!DH:!ADH:!LOW:!MD5:!RC4:RSA+AES:RSA+3DES:@STRENGTH'

The "@STRENGTH" tells it to sort the ciphers by strength, strongest first.

Also see: F5 SSL Everywhere Recommended Practices
https://f5.com/Portals/1/Premium/Architectures/RA-SSL-Everywhere-deployment-guide.pdf

Once you have a cipher string you want, add it to your SSL profile, sshd, or httpd.

0
Comments on this Answer
Comment made 28-Jun-2017 by SFiddy 17

This is information I already was aware of. My problem is the getting the exact ciphers in the exact order as my original post. I haven't figured out that string and I have spent quite a bit of time formatting and testing. I am looking for assistance from someone who can show me.

0
Comment made 28-Jun-2017 by PK 628

what version of bigip is it?

0
Comment made 28-Jun-2017 by LoyalSoldier 106

SFiddy,

Have you seen this article? Looks like it might help with what you are trying to do. https://devcentral.f5.com/questions/how-to-prioritize-cipher-suites-on-f5

Another article, that includes a example of testing them: https://devcentral.f5.com/articles/ssl-profiles-part-4-cipher-suites#.U5rIoPmSy1k

0
Comment made 28-Jun-2017 by SFiddy 17

I am using 11.6.1

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I recommend you using the command tmm --clientciphers 'DEFAULT' for cheking de default configuration. Output Example:

[root@localhost:Active:Standalone] config # tmm --clientciphers 'DEFAULT'

ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 2: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA 3: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 4: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 5: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 6: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 8: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 9: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 10: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 11: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 12: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 13: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 14: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 15: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 16: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 17: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 18: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 19: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 20: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 21: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 22: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 23: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 24: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 25: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 26: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 27: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 28: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 29: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA

Translation is (this command will print the same output):

tmm --clientciphers 'RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA'

The general idea is ordering suites (third column of the output), in this example: RC4-SHA:AES128-SHA:AES256-SHA etc.. and testing with tmm --clientciphers 'ORDERED SUITES'

0