F5 ciphersuite syntax

Question

Help me understand F5 ciphersuite syntax please: https://support.f5.com/csp/article/K13400&nbsp;
In the client-ssl ciphers syntax the article states that if you want to support TLS1.0 and SSL3.0 do the following:&nbsp;
tmsh create /ltm profile client-ssl  ciphers DEFAULT:-SSLv3:-TLSv1:RC4-SHA&nbsp;
&nbsp;If you don't want to allow SSLv3 do the following:&nbsp;
tmsh create /ltm profile client-ssl  ciphers DEFAULT:!SSLv3:-TLSv1:RC4-SHA&nbsp;
&nbsp;that would make sense because the exclamation mark (!) negates that protocol.&nbsp;
In the same article to disable all protocols except TLS1.2 for management access the syntax is as follows:&nbsp;
modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'&nbsp;
Logic seems to suggest that this syntax is allowing protocols from SSLv3 and above. Meaning allow 'ALL' except those with the '!' and then explicitly allowing TLSv1 and SSLv3 (and above).&nbsp;
Since the article says I'm wrong how an I supposed to read this??? Confused!!! &nbsp;

vijay_e · Answer

When in doubt, try using and play with the cipher suite definition:
tmm --clientciphers 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:TLSv1:SSLv3:RC4-SHA'

ottleydamian · Answer

Despite what TMM showed in its output about I believe now that the syntax in the F5 article is CORRECT. I tested with the following commands:&nbsp;
openssl s_client -connect [IP ADDRESS]:443 -ssl3&nbsp;
openssl s_client -connect [IP ADDRESS]:443 -tls1&nbsp;
openssl s_client -connect [IP ADDRESS]:443 -tls1_1&nbsp;
openssl s_client -connect [IP ADDRESS]:443 -tls1_2&nbsp;
In the first 3 there was no negotiation but the last one accepted TLSv1.2. 
Note:I also noticed the syntax difference which might explain the difference in syntax for OpenSSL and TMM for TLSv1.2.&nbsp;

kevin_k_51432 · Answer

Greetings,&nbsp;
I parsed through the responses and don't see that anyone's mentioned this yet, apologies if this has already been mentioned:&nbsp;
Note: When you use the ! symbol preceding a cipher, the SSL profile permanently removes the cipher from the cipher list, even if it is explicitly stated later in the cipher string. When you use the - symbol preceding a cipher, the SSL profile removes the cipher from the cipher list, but it can be added back to the cipher list if there are later options that allow it. For more information about building and viewing custom cipher lists, refer to K15194: Overview of the BIG-IP SSL/TLS cipher suite.&nbsp;
https://support.f5.com/csp/article/K13171&nbsp;
Hope this is helpful, thank you!&nbsp;
Kevin&nbsp;

ottleydamian · Answer

Thanks Kevin,&nbsp;
Actually the ! symbol was the syntax that I did understand. What was tripping me up before was if I only wanted TLSv1.2 ie. no sslv3, no tlsv1.0 and no tlsv1.1 why did the syntax in the F5 article have "-TLSv1:-SSLv3". I was expecting "!TLSv1:!SSLv3" etc.&nbsp;
But though I can't fully understand all the intricacies of why it works, I at least am confident that it does work.&nbsp;

kevin_k_51432 · Answer

I think the only difference would be flexibility. Allow customers to add specific ciphers back in if they deem them necessary. For example, tlsv1 would work for DHE-RSA-DES-CBC3-SHA (if you needed that):
-TLSv1:-SSLv3:DHE-RSA-DES-CBC3-SHA

tlsv1 would not work for DHE-RSA-DES-CBC3-SHA (if you needed it):
!TLSv1:!SSLv3:DHE-RSA-DES-CBC3-SHA

Forum Discussion

F5 ciphersuite syntax

10 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

show sync status: Syntax Error

Syntax for creating pool with multiple monitors

Syntax for creating Persistence in F5 CLI

python f5 SDK 401 Unexpected Error: F5 Authorization Required

irule syntax error