Forum Discussion

SFiddy_313786's avatar
SFiddy_313786
Icon for Nimbostratus rankNimbostratus
Jun 21, 2017

Setting ciphers manually in BIG IP

I have BIG IP v 11.6.1 and need to manual set the ciphers. Here is the list of ciphers, in order, of what I want. I have been unable to make this happen. Can someone assist?

 

Cipher | Suite (hex value) | Bits |Protocols | Key Exchange | Authentication | Cipher | MAC

ECDHE-RSA-AES256-GCM-SHA384 (0xc030)256TLS1.2ECDHERSAAES-GCMSHA384

 

ECDHE-ECDSA-AES256-GCM-SHA384 (0xc02c)256TLS1.2ECDHEECDSAAES-GCMSHA384

 

ECDH-RSA-AES256-GCM-SHA384 (0xc032)256TLS1.2ECDHRSAAES-GCMSHA384

 

ECDH-ECDSA-AES256-GCM-SHA384 (0xc02e)256TLS1.2ECDHECDSAAES-GCMSHA384

 

ECDHE-RSA-AES256-SHA384 (0xc028)256TLS1.2ECDHERSAAESSHA384

 

ECDHE-ECDSA-AES256-SHA384 (0xc024)256TLS1.2ECDHEECDSAAESSHA384

 

DHE-DSS-AES256-GCM-SHA384 (0xa3)256TLS1.2DHEDSSAES-GCMSHA384

 

DHE-RSA-AES256-GCM-SHA384 (0x9f)256TLS1.2EDHRSAAES-GCMSHA384

 

ECDH-RSA-AES256-SHA384 (0xc02a) 256TLS1.2ECDHRSAAESSHA384

 

ECDH-ECDSA-AES256-SHA384 (0xc026)256TLS1.2ECDHECDSAAESSHA384

 

AES256-GCM-SHA384 (0x9d) 256TLS1.2RSARSAAES-GCMSHA384

 

DHE-RSA-AES256-SHA256 (0x6b) 256TLS1.2EDHRSAAESSHA256

 

DHE-DSS-AES256-SHA256 (0x6a) 256TLS1.2DHEDSSAESSHA256

 

AES256-SHA256 (0x3d) 256TLS1.2RSARSAAESSHA256

 

ECDHE-RSA-AES256-CBC-SHA (0xc014)256TLS1, TLS1.1, TLS1.2ECDHERSAAESSHA

 

ECDHE-ECDSA-AES256-SHA (0xc00a) 256TLS1, TLS1.1, TLS1.2ECDHEECDSAAESSHA

 

ECDH-RSA-AES256-SHA (0xc00f) 256TLS1, TLS1.1, TLS1.2ECDHRSAAESSHA

 

ECDH-ECDSA-AES256-SHA (0xc005) 256TLS1, TLS1.1, TLS1.2ECDHECDSAAESSHA

 

DHE-RSA-AES256-SHA (0x39) 256SSL3, TLS1, TLS1.1, TLS1.2, DTLS1EDHRSAAESSHA

 

DHE-DSS-AES256-SHA (0x38) 256SSL3, TLS1, TLS1.1, TLS1.2, DTLS1DHEDSSAESSHA

 

AES256-SHA (0x35) 256SSL3, TLS1, TLS1.1, TLS1.2, DTLS1RSARSAAESSHA

 

11 Replies

  • F5 article on configuring ciphers: https://support.f5.com/csp/article/K13171

    See the result of a string on a device via CLI bash with this command:

    tmm --clientciphers ''
    

    Example:

    tmm --clientciphers 'NATIVE:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:!SSLv3:!TLSv1:!EXPORT:!DH:!ADH:!LOW:!MD5:!RC4:RSA+AES:RSA+3DES:@STRENGTH'
    

    The "@STRENGTH" tells it to sort the ciphers by strength, strongest first.

    Also see: F5 SSL Everywhere Recommended Practices

    https://f5.com/Portals/1/Premium/Architectures/RA-SSL-Everywhere-deployment-guide.pdf

    Once you have a cipher string you want, add it to your SSL profile, sshd, or httpd.

  • F5 article on configuring ciphers: https://support.f5.com/csp/article/K13171

    See the result of a string on a device via CLI bash with this command:

    tmm --clientciphers ''
    

    Example:

    tmm --clientciphers 'NATIVE:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:!SSLv3:!TLSv1:!EXPORT:!DH:!ADH:!LOW:!MD5:!RC4:RSA+AES:RSA+3DES:@STRENGTH'
    

    The "@STRENGTH" tells it to sort the ciphers by strength, strongest first.

    Also see: F5 SSL Everywhere Recommended Practices

    https://f5.com/Portals/1/Premium/Architectures/RA-SSL-Everywhere-deployment-guide.pdf

    Once you have a cipher string you want, add it to your SSL profile, sshd, or httpd.

  • I recommend you using the command tmm --clientciphers 'DEFAULT' for cheking de default configuration. Output Example:

     

    [root@localhost:Active:Standalone] config tmm --clientciphers 'DEFAULT'

     

    ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 2: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA 3: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 4: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 5: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 6: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 8: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 9: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 10: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 11: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 12: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 13: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 14: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 15: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 16: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 17: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 18: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 19: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 20: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 21: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 22: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 23: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 24: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 25: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 26: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 27: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 28: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 29: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA

     

    Translation is (this command will print the same output):

     

    tmm --clientciphers 'RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA'

     

    The general idea is ordering suites (third column of the output), in this example: RC4-SHA:AES128-SHA:AES256-SHA etc.. and testing with tmm --clientciphers 'ORDERED SUITES'