Forum Discussion

PeteW's avatar
PeteW
Icon for Nimbostratus rankNimbostratus
Apr 10, 2013

Amending clientssl ciphers with TMSH

Guys,

 

 

Hopefully someone has already covered this one but I have the following clientssl profile

 

ltm profile client-ssl pw_clientssl {

 

cert pw.bigip.test.com.crt

 

ciphers DEFAULT

 

defaults-from clientssl

 

key pw.bigip.test.com.key

 

}

 

 

with the default clientssl as follows:

 

ltm profile client-ssl clientssl {

 

alert-timeout 60

 

authenticate once

 

authenticate-depth 9

 

ca-file none

 

cache-size 262144

 

cache-timeout 3600

 

cert default.crt

 

chain none

 

ciphers DEFAULT

 

client-cert-ca none

 

crl-file none

 

handshake-timeout 60

 

key default.key

 

mod-ssl-methods disabled

 

mode enabled

 

options { dont-insert-empty-fragments }

 

passphrase none

 

peer-cert-mode ignore

 

renegotiate-max-record-delay 10

 

renegotiate-period indefinite

 

renegotiate-size indefinite

 

renegotiation disabled

 

strict-resume disabled

 

unclean-shutdown enabled

 

}

 

 

I am wanting to test amending the ciphers from default to either of the following without success using tmsh.

 

HIGH:MEDIUM:!SSLv2 or -ALL:RC4:!SSLv2:!NULL:!ADH:!LOW:!EXP:+LSv1:+SSLv3:HIGH:MEDIUM

 

If i use the following:

 

tmsh modify ltm profile client-ssl pw_clientssl ciphers HIGH:MEDIUM:!SSLv2

 

tmsh modify ltm profile client-ssl pw_clientssl ciphers -ALL:RC4:!SSLv2:!NULL:!ADH:!LOW:!EXP:+LSv1:+SSLv3:HIGH:MEDIUM

 

I receive error: -bash: !SSLv2: event not found

 

Surely I can amend the ciphers string with TMSH?

 

Any ideas chaps as I've followed the tmsh documentation and there's nothing else I can currently think of?

 

 

 

 

dev
TMSH

6 Replies

Sort By
  • PeteW's avatar
    PeteW
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2013
    Sorted :)

     

     

    The only way I can seem to do this is to drop straight into TMOS and paste the code in from there.

     

     

    E.g.

     

     

    admin@pw-bigip(Active)(tmos)

     

    admin@pw-bigip(Active)(tmos) list ltm profile client-ssl pw_clientssl

     

    ltm profile client-ssl pw_clientssl {

     

    cert pw.bigip.test.com.crt

     

    ciphers -ALL:RC4:!SSLv2:!NULL:!ADH:!LOW:!EXP:+TLSv1:+SSLv3:HIGH:MEDIUM

     

    defaults-from clientssl

     

    key pw.bigip.test.com.key

     

    }

     

    admin@pw-bigip(Active)(tmos) modify ltm profile client-ssl pw_clientssl ciphers HIGH:MEDIUM:!SSLv2

     

    admin@pw-bigip(Active)(tmos) list ltm profile client-ssl pw_clientssl

     

    ltm profile client-ssl pw_clientssl {

     

    cert pw.bigip.test.com.crt

     

    ciphers HIGH:MEDIUM:!SSLv2

     

    defaults-from clientssl

     

    key pw.bigip.test.com.key

     

    }

     

    admin@pw-bigip(Active)(tmos) modify ltm profile client-ssl pw_clientssl ciphers -ALL:RC4:!SSLv2:!NULL:!ADH:!LOW:!EXP:+TLSv1:+SSLv3:HIGH:MEDIUM

     

    admin@pw-bigip(Active)(tmos) list ltm profile client-ssl pw_clientssl

     

    ltm profile client-ssl pw_clientssl {

     

    cert pw.bigip.test.com.crt

     

    ciphers -ALL:RC4:!SSLv2:!NULL:!ADH:!LOW:!EXP:+TLSv1:+SSLv3:HIGH:MEDIUM

     

    defaults-from clientssl

     

    key pw.bigip.test.com.key

     

    }

     

    admin@pw-bigip(Active)(tmos)

     

     

    Result :)
  • Brent_Blood_768's avatar
    Brent_Blood_768
    Historic F5 Account
    Apr 10, 2013
    Try escaping the ! with a backslash in your tmsh command. Bash is attempting to perform history expansion when it sees the bang.
  • PeteW's avatar
    PeteW
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2013
    Posted By Brent Blood on 04/10/2013 02:02 PM

     

    Try escaping the ! with a backslash in your tmsh command. Bash is attempting to perform history expansion when it sees the bang.

     

     

    Hmm interesting, didn't think of that cheers Brent will do :)

     

     

     

    • Chris_FP's avatar
      Chris_FP
      Icon for Cirrus rankCirrus
      Nov 23, 2015
      I tried that and it didn't work. I had to do the following for mine - add the ' at the start and end of the cipher list tmsh modify ltm profile client-ssl clientsslprofile { ciphers '\!SSLv2\:\!EXPORT\:ECDHE\+AES\-GCM\:ECDHE\+AES\:ECDHE\+3DES\:RSA\+AES\-GCM\:RSA\+AES\:RSA\+3DES\:\-MD5\:\-SSLv3\:\-RC4\:\@SPEED' defaults-from clientssl }
    • PeteW's avatar
      PeteW
      Icon for Nimbostratus rankNimbostratus
      Nov 23, 2015
      Interesting .. i'll give that a go. I've noticed that it also depends on the base OS as 10.2.4 behaves differently to 11.2 to 11.6 .. go figure.
  • Greg_Bray_36871's avatar
    Greg_Bray_36871
    Icon for Nimbostratus rankNimbostratus
    Aug 02, 2018

    These work for me:

     

    tmsh create ltm profile client-ssl my-ssl-profile defaults-from clientssl ciphers '!EXPORT:!SSLv3:!TLSv1:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:+TLSv1_1'

     

    tmsh modify ltm profile client-ssl my-ssl-profile ciphers '!EXPORT:!SSLv3:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:+TLSv1_1'

     

    So looks like only the first ! needs to be escaped