how to prioritize cipher suites

Question

I am running version LTM BIGIP 12.1.3.5 and confused as to how to prioritize cipher suites.&nbsp;
I am using this cipher string on some client and server side ssl profiles. DEFAULT:@STRENGTH:!3DES:!EXPORT:!EXP:!MD5:!RC4&nbsp;
If I add !DHE will it negate other DHE ciphers within DEFAULT suite?&nbsp;
Thanks. Dave&nbsp;

raghavendrasy · Answer

Yes. Please refer below article:&nbsp;
https://devcentral.f5.com/articles/ssl-profiles-part-4-cipher-suites&nbsp;
“!” – these ciphers are permanently deleted from the list and cannot reappear in the list even if explicitly stated.&nbsp;
“-“ - these ciphers are deleted from the list but can be re-added by later options.&nbsp;
“+” – these ciphers are moved to the end of the list.&nbsp;

wlopez · Answer

You can test your cipher string using the following commands from bash:
tmm --clientciphers 'YOUR CLIENT SSL CIPHER STRING'
tmm --serverciphers 'YOUR SERVER SSL CIPHER STRING'
Exammple:
This will give you the default client ssl ciphers for the version your running:
tmm --clientciphers 'DEFAULT'
With it you can see what's active by default on your version, and start working from there.
To view your current setup:
tmm --clientciphers 'DEFAULT:@STRENGTH:!3DES:!EXPORT:!EXP:!MD5:!RC4'
My recommendation based on your version, to comply with just about every regulation out there would be:
tmm --clientciphers 'ECDHE:DEFAULT:!DHE:!3DES:!TLSv1:@STRENGTH'

Forum Discussion

how to prioritize cipher suites

2 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Cipher Suites Supported (12.1.5.3)

Cipher Suite Practices and Pitfalls

Disabling Specific Weak Cipher Suites

Cipher suite mismatch advertisement/warning

SSL Profiles Part 4: Cipher Suites