cipher suite -adding and removing

Question

Hi,
The below statement are really confusing .
Does it mean even listing will remove the cipher suite from the machine ? &nbsp;
For example, to remove a cipher from the cipher list, even if it is explicitly stated later in the cipher string, use the following syntax:&nbsp;
tmm --clientciphers 'DEFAULT:!RSA'&nbsp;
For example, to remove the cipher from the cipher list, but add it back to the cipher list if later options allow, use the following syntax:&nbsp;
tmm --clientciphers DEFAULT:-RSA&nbsp;
https://support.f5.com/csp/article/K15194&nbsp;
Thanks&nbsp;

kevin_k_51432 · Answer

Greetings,
I hope this makes sense, here goes:
If you use this syntax, all of the ciphers using RSA KEYX will be removed from the cipher list.
tmm --clientciphers 'DEFAULT:!RSA'

Let say, you'd like to include this cipher for some reason, but only this one:
DES-CBC3-SHA
If you used the ! filter, you would be unable to add that cipher only back:
tmm --clientciphers 'DEFAULT:!RSA:DES-CBC3-SHA' | grep ' DES-CBC3-SHA'

So using the - filter, allows you to add only that cipher back, but keep the others filtered out:
tmm --clientciphers 'DEFAULT:-RSA:DES-CBC3-SHA' | grep ' DES-CBC3-SHA'
48:    10  DES-CBC3-SHA                     168  TLS1    Native  DES       SHA     RSA
49:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA
50:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA
51:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA
52:    10  DES-CBC3-SHA                     168  SSL3    Native  DES       SHA     RSA

Hope this is helpful!
Kevin

bluestar007_339 · Answer

Hi,
Thanks for the reply .&nbsp;
You said "If you used the ! filter, you would be unable to add that cipher only back:"&nbsp;
Here is where I am confused .
What you mean by unable to add that cipher only back.&nbsp;
What I understood from other threads , If I use  "tmm --clientciphers 'DEFAULT:!RSA'" ,It just print the DEFAULT list and filter RSA ,It does not remove it from the BOX .That means we can add it later &nbsp;
Thanks&nbsp;

kevin_k_51432 · Answer

Greetings,&nbsp;
You are correct, it doesn't remove the cipher from the BIG-IP system. Typically, when building filters in this manner, the admin is attempting to build a cipher string for use in the client or server SSL profile. So you could have multiple different virtual servers that reference different SSL profiles, allowing a different set of ciphers for clients to negotiate. &nbsp;
See 'Ciphers' in this article for more detail:&nbsp;
https://support.f5.com/csp/article/K14783&nbsp;
Hope this is helpful!&nbsp;
Kevin&nbsp;

bluestar007_339 · Answer

Hi,

ltm profile client-ssl test {
app-service none
cert digicert.crt
cert-key-chain {
    digicert {
        cert digicert.crt
        chain gdigicertchain.crt
        key digicert.key
    }
}
chain gdigicertchain.crt
defaults-from clientssl
inherit-certkeychain false
key digicert.key
passphrase none

}
If I have client profile  like above ,which is inheriting from the  cientssl profile (client ssl profile uses  ciphers DEFAULT")
Now I decided to alter the DEFAULT  for profile 'test',Just to remove 'DES-CBC3-SHA' ,the below profile will work ? 
ltm profile client-ssl test {
app-service none
cert digicert.crt
cert-key-chain {
    digicert {
        cert digicert.crt
        chain gdigicertchain.crt
        key digicert.key
    }
}
chain gdigicertchain.crt
**ciphers 'DEFAULT:!RSA:DES-CBC3-SHA'**

defaults-from clientssl
inherit-certkeychain false
key digicert.key
passphrase none

}
2.Let's say I used ' ciphers 'DEFAULT:!RSA' and later on decided to bring all RSA back , 
reverting the string  from 'DEFAULT:!RSA' to  'ciphers 'DEFAULT' will help 
Thanks

kevin_k_51432 · Answer

Greetings,&nbsp;
1) To just remove DES-CBC3-SHA, you would use: DEFAULT:!DES-CBC3-SHA&nbsp;
2) That is correct.&nbsp;
Hope this is helpful!&nbsp;
Kevin&nbsp;

Forum Discussion

cipher suite -adding and removing

9 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Cipher Suites Supported (12.1.5.3)

LTM Cipher rule

Cipher Suite Practices and Pitfalls

Disabling Weak Ciphers

Disabling Specific Weak Cipher Suites