Forum Discussion

Dan_Pacheco's avatar
Dan_Pacheco
Icon for Cirrus rankCirrus
Oct 18, 2017

Prefer TLSv1.2 within the DEFAULT cipher group

I am trying to manipulate my cipher suite. My requirements are: DEFAULT list only remove 3DES Prioritize TLSv1.2 above TLS1.1 and TLS1.0 (without adding ciphers not included in the default list)

 

Sounds easy but it is not given how limiting the v12.1.2 tmm --clientciphers utility is. The challenge is preferring TLSv1.2 without adding ciphers not in the DEFAULT list. I have even tried explicitly adding each TLSV1.2 suite individually, but suites like "DHE-RSA-AES256-SHA" bring in sslv3 and other undesirable strings. Any suggestions are appreciated. Thanks,

 

application delivery
LTM

3 Replies

Sort By
  • Dan_Pacheco's avatar
    Dan_Pacheco
    Icon for Cirrus rankCirrus
    Oct 18, 2017

    I figured it out. tmm --clientciphers '!3DES:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:-SSLv3:-TLSv1:-TLSv1_1:!DTLSv1:DEFAULT'

    Gives me:

       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX

    0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA

    1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA

    2: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 Native AES SHA256 EDH/RSA

    3: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA

    4: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA

    5: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA

    6: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA

    7: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA

    8: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA

    9: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA

    10: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 11: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 12: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 13: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 14: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 15: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 16: 103 DHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 EDH/RSA

    17: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA

    18: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA

    19: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA

    20: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA

    21: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA

    22: 53 AES256-SHA 256 TLS1 Native AES SHA RSA

    23: 47 AES128-SHA 128 TLS1 Native AES SHA RSA

    24: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA

    25: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA

    26: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 27: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 28: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 29: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA