How to view supported Ciphers on a Custom SSL Profile?

Question

I have a pair of BIG-IP Virtual Edition running firmware 12.1.2 in High Availability (Active/Standby)
I'm needing to disable DHE based ciphers, and re-order them strongest first.&nbsp;
Local Traffic &gt;&gt; Profiles &gt;&gt; SSL &gt;&gt; Client &gt;&gt; I already have a Custom SSL Profile which uses clientssl as Parent&nbsp;
For the Custom SSL Profile, I've updated the Ciphers text box from
DEFAULT:!RC4
to
DEFAULT:!RC4:!DHE:@STRENGTH&nbsp;
I've only applied this change on Standby so I can compare difference Active vs. Standby when I issue this command. But they look identical.&nbsp;
tmm --clientciphers HIGH
What's the problem with my syntax? Do I need to specify my  name?&nbsp;

james_smith_299 · Answer

This looks same on both LTM. Why?
tmm --clientciphers HIGH
   ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX

0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
 3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
 5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
 6: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
 7: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1    Native  AES       SHA     ECDHE_ECDSA
 8: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 9: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
10:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  DHE/DSS
11:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA
12:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  EDH/RSA
13:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  DHE/DSS
14:    57  DHE-RSA-AES256-SHA               256  SSL3    Native  AES       SHA     EDH/RSA
15:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES       SHA     EDH/RSA
16:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES       SHA     EDH/RSA
17:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA
18:    57  DHE-RSA-AES256-SHA               256  DTLS1   Native  AES       SHA     EDH/RSA
19:    56  DHE-DSS-AES256-SHA               256  SSL3    Native  AES       SHA     DHE/DSS
20:    56  DHE-DSS-AES256-SHA               256  TLS1    Native  AES       SHA     DHE/DSS
21:    56  DHE-DSS-AES256-SHA               256  TLS1.1  Native  AES       SHA     DHE/DSS
22:    56  DHE-DSS-AES256-SHA               256  TLS1.2  Native  AES       SHA     DHE/DSS
23:    56  DHE-DSS-AES256-SHA               256  DTLS1   Native  AES       SHA     DHE/DSS
24:   167  ADH-AES256-GCM-SHA384            256  TLS1.2  Native  AES-GCM   SHA384  ADH
25:    58  ADH-AES256-SHA                   256  SSL3    Native  AES       SHA     ADH
26:    58  ADH-AES256-SHA                   256  TLS1    Native  AES       SHA     ADH
27: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM   SHA384  ECDH_RSA
28: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM   SHA384  ECDH_ECDSA
29: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES       SHA384  ECDH_RSA
30: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES       SHA384  ECDH_ECDSA
31: 49167  ECDH-RSA-AES256-SHA              256  TLS1    Native  AES       SHA     ECDH_RSA
32: 49167  ECDH-RSA-AES256-SHA              256  TLS1.1  Native  AES       SHA     ECDH_RSA
33: 49167  ECDH-RSA-AES256-SHA              256  TLS1.2  Native  AES       SHA     ECDH_RSA
34: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1    Native  AES       SHA     ECDH_ECDSA
35: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.1  Native  AES       SHA     ECDH_ECDSA
36: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.2  Native  AES       SHA     ECDH_ECDSA
37:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
38:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
39:    53  AES256-SHA                       256  SSL3    Native  AES       SHA     RSA
40:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA
41:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA
42:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
43:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
44: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1    Native  DES       SHA     ECDHE_RSA
45: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.1  Native  DES       SHA     ECDHE_RSA
46: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.2  Native  DES       SHA     ECDHE_RSA
47: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1    Native  DES       SHA     ECDHE_ECDSA
48: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.1  Native  DES       SHA     ECDHE_ECDSA
49: 49160  ECDHE-ECDSA-DES-CBC3-SHA         168  TLS1.2  Native  DES       SHA     ECDHE_ECDSA
50:    22  DHE-RSA-DES-CBC3-SHA             168  SSL3    Native  DES       SHA     EDH/RSA
51:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1    Native  DES       SHA     EDH/RSA
52:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1.1  Native  DES       SHA     EDH/RSA
53:    22  DHE-RSA-DES-CBC3-SHA             168  TLS1.2  Native  DES       SHA     EDH/RSA
54:    22  DHE-RSA-DES-CBC3-SHA             168  DTLS1   Native  DES       SHA     EDH/RSA
55:    27  ADH-DES-CBC3-SHA                 168  SSL3    Native  DES       SHA     ADH
56:    27  ADH-DES-CBC3-SHA                 168  TLS1    Native  DES       SHA     ADH
57: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1    Native  DES       SHA     ECDH_RSA
58: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1.1  Native  DES       SHA     ECDH_RSA
59: 49165  ECDH-RSA-DES-CBC3-SHA            168  TLS1.2  Native  DES       SHA     ECDH_RSA
60: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1    Native  DES       SHA     ECDH_ECDSA
61: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1.1  Native  DES       SHA     ECDH_ECDSA
62: 49155  ECDH-ECDSA-DES-CBC3-SHA          168  TLS1.2  Native  DES       SHA     ECDH_ECDSA
63:    10  DES-CBC3-SHA                     168  SSL3    Native  DES       SHA     RSA
64:    10  DES-CBC3-SHA                     168  TLS1    Native  DES       SHA     RSA
65:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA
66:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA
67:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA
68:   136  DHE-RSA-CAMELLIA256-SHA          256  TLS1    Native  CAMELLIA  SHA     EDH/RSA
69:   136  DHE-RSA-CAMELLIA256-SHA          256  TLS1.1  Native  CAMELLIA  SHA     EDH/RSA
70:   136  DHE-RSA-CAMELLIA256-SHA          256  TLS1.2  Native  CAMELLIA  SHA     EDH/RSA
71:   135  DHE-DSS-CAMELLIA256-SHA          256  TLS1    Native  CAMELLIA  SHA     DHE/DSS
72:   135  DHE-DSS-CAMELLIA256-SHA          256  TLS1.1  Native  CAMELLIA  SHA     DHE/DSS
73:   135  DHE-DSS-CAMELLIA256-SHA          256  TLS1.2  Native  CAMELLIA  SHA     DHE/DSS
74:   132  CAMELLIA256-SHA                  256  TLS1    Native  CAMELLIA  SHA     RSA
75:   132  CAMELLIA256-SHA                  256  TLS1.1  Native  CAMELLIA  SHA     RSA
76:   132  CAMELLIA256-SHA                  256  TLS1.2  Native  CAMELLIA  SHA     RSA

nathe · Answer

You need to reference the cipher string e.g. tmm --clientciphers 'DEFAULT:!RC4:!DHE:@STRENGTH' or tmm --clientciphers 'DEFAULT:!RC4'
HIGH is a string, just like DEFAULT.
Try running those commands and hope that helps.
N

Forum Discussion

How to view supported Ciphers on a Custom SSL Profile?

2 Replies

Recent Discussions

preserve client IP on layer 4 VIP

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

Cipher Suites Supported (12.1.5.3)

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

TMOS script for updating SSL profile cipher group and TLS versions

Disabling Weak Ciphers

SSL Profiles