tmm --serverciphers DEFAULT.

Question

Im getting this output on a v11 and a v10 box.  Im trying to determine what would the "actual" stack list the server profile would give to an endpoint (server)?  The reason for the question is because Im having a difficult server guy tell me that they are getting lower end ciphers instead of the highest first with 11.5.3.  Of course, they will not change anything on their side so Im trying to workaround their limitations by modifying a serverssl profile on the LTM.  If anyone has a magic F5 document that they can point me to that specifically says this is the stack list... that would be great.  I did see SOL13163 11.5.3 and this one SOL13156.&nbsp;
Does it go by unit id first or  (as in the far left number)?  Because its a bit different in v11 vs v10.&nbsp;
[root@11.5.3-ltm:Active:In Sync] ~  tmm --serverciphers 'DEFAULT'&nbsp;
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX&nbsp;
0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA&nbsp;
1:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA&nbsp;
2:    53  AES256-SHA                       256  TLS1.1  Native  AES     SHA     RSA&nbsp;
3:    53  AES256-SHA                       256  TLS1.2  Native  AES     SHA     RSA&nbsp;
4:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA&nbsp;
5:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA&nbsp;
6:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA&nbsp;
7:    47  AES128-SHA                       128  TLS1.1  Native  AES     SHA     RSA&nbsp;
8:    47  AES128-SHA                       128  TLS1.2  Native  AES     SHA     RSA&nbsp;
9:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA&nbsp;
10:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA&nbsp;
11:    10  DES-CBC3-SHA                     192  TLS1.1  Native  DES     SHA     RSA&nbsp;
12:    10  DES-CBC3-SHA                     192  TLS1.2  Native  DES     SHA     RSA&nbsp;
13:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA&nbsp;
14:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA&nbsp;
15:     5  RC4-SHA                          128  TLS1.1  Native  RC4     SHA     RSA&nbsp;
16:     5  RC4-SHA                          128  TLS1.2  Native  RC4     SHA     RSA&nbsp;
17: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA&nbsp;
18: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA&nbsp;
19: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA&nbsp;
20: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA&nbsp;
21: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA&nbsp;
22: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA&nbsp;
23: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA&nbsp;
24: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA&nbsp;
25: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA&nbsp;
26: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA&nbsp;
27: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA  &nbsp;
[root@v10.2.4-ltm:Active] convert  tmm --serverciphers DEFAULT&nbsp;
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX&nbsp;
0:   5 RC4-SHA                         128  SSL3  Native RC4    SHA    RSA&nbsp;
1:   5 RC4-SHA                         128  TLS1  Native RC4    SHA    RSA&nbsp;
2:   5 RC4-SHA                         128  TLS1.2  Native RC4    SHA    RSA&nbsp;
3:  47 AES128-SHA                      128  SSL3  Native AES    SHA    RSA&nbsp;
4:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA&nbsp;
5:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA&nbsp;
6:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA&nbsp;
7:  53 AES256-SHA                      256  SSL3  Native AES    SHA    RSA&nbsp;
8:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA&nbsp;
9:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA&nbsp;
10:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA&nbsp;
11:  10 DES-CBC3-SHA                    192  SSL3  Native DES    SHA    RSA&nbsp;
12:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA&nbsp;
13:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA&nbsp;
14:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA&nbsp;
15:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA&nbsp;
16:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA  &nbsp;

brad_parker · Answer

The preference order will be what is shown in your output. 0 is most preferred and first in the list. Do you have an idea of the cipher suites your server wants preferred? In the end the server is the one who decides on the cipher the SSL connection will use based on your submitted list and his preference.

thecook · Answer

sol13171 might have what you're after. You can re-order them by strength using 'DEFAULT:@strength', but it also might be worth asking specifically what they do and do not want to see. You can then exclude ciphers by type, or exclude individual ciphers if you wish.&nbsp;
-Tim&nbsp;

Forum Discussion

tmm --serverciphers DEFAULT.

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

How is each tmm different?

Lightboard Lessons: CPU Hyper-Threads and TMM

Parameteters in default https monitor

change default admin user name on F5

TMM RESTARTING! (14.1.5)