CirrusHello All,
Can someone help me create a cipher for the below? I need to add this cipher in a New SSL client profile for a VIP. I'm not sure about the correct format. Please help me
SSL_RSA_WITH_AES_256_CBC_SHA
CirrostratusHi,
It seem like the cipher "SSL_RSA_WITH_AES_256_CBC_SHA" is based on SSLv3. Since BIG-IP 12.X has remove SSLv3 cipher suite from default client ssl profile.
In case you need to enable SSLv3 back to client ssl profile. In the client ssl profile properties you can append in "Ciphers" property e.g. "DEFAULT:SSLv3"
You can also verify the cipher is match with your requirement or not. You can run as below example.
[root@bigip1:Active:Standalone] config # tmm --clientcipher 'DEFAULT:SSLv3'
ID SUITE BITS PROT CIPHER MAC KEYX
0: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_RSA
1: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 AES SHA ECDHE_RSA
2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 AES SHA ECDHE_RSA
3: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 AES SHA ECDHE_RSA
4: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 AES SHA256 ECDHE_RSA
5: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA
6: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 AES SHA ECDHE_RSA
7: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 AES SHA ECDHE_RSA
8: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 AES SHA ECDHE_RSA
...
...
...
56: 4865 TLS13-AES128-GCM-SHA256 128 TLS1.3 AES-GCM NULL *
57: 4866 TLS13-AES256-GCM-SHA384 256 TLS1.3 AES-GCM NULL *
58: 50 DHE-DSS-AES128-SHA 128 SSL3 AES SHA DHE/DSS
59: 56 DHE-DSS-AES256-SHA 256 SSL3 AES SHA DHE/DSS
60: 52 ADH-AES128-SHA 128 SSL3 AES SHA ADH
61: 58 ADH-AES256-SHA 256 SSL3 AES SHA ADH
62: 10 DES-CBC3-SHA 168 SSL3 DES SHA RSA
63: 22 DHE-RSA-DES-CBC3-SHA 168 SSL3 DES SHA EDH/RSA
64: 27 ADH-DES-CBC3-SHA 168 SSL3 DES SHA ADH
65: 21 DHE-RSA-DES-CBC-SHA 64 SSL3 DES SHA EDH/RSA
66: 9 DES-CBC-SHA 64 SSL3 DES SHA RSA
67: 26 ADH-DES-CBC-SHA 64 SSL3 DES SHA ADH
68: 5 RC4-SHA 128 SSL3 RC4 SHA RSA
69: 4 RC4-MD5 128 SSL3 RC4 MD5 RSA
70: 24 ADH-RC4-MD5 128 SSL3 RC4 MD5 ADH
71: 98 EXP1024-DES-CBC-SHA 56 SSL3 DES SHA RSA
72: 8 EXP-DES-CBC-SHA 40 SSL3 DES SHA RSA
73: 100 EXP1024-RC4-SHA 56 SSL3 RC4 SHA RSA
74: 3 EXP-RC4-MD5 40 SSL3 RC4 MD5 RSA
75: 47 AES128-SHA 128 SSL3 AES SHA RSA
76: 53 AES256-SHA 256 SSL3 AES SHA RSA
77: 51 DHE-RSA-AES128-SHA 128 SSL3 AES SHA EDH/RSA
78: 57 DHE-RSA-AES256-SHA 256 SSL3 AES SHA EDH/RSA
Please try in development virtual server before apply to production.
CirrusHi,
what version are you using?
This doc (13.x) could help you with that:
Other than that you can check what ciphers your system support with either tmm --clientciphers all or tmm --serverciphers all.
Hope this helps.
Br
CirrusI'm using 12.1.5
CirrusHi,
if you want to check what ciphers (and format) are supported in your device try this:
tmm --clientciphers all
or
tmm --serverciphers all
Br
CirrusI have used that command found these three are related.
4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
5: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
6: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
But the protocol supported is TLS versions and the client needs SSL
CirrusIsn´t an option to "upgrade" that protocol to support TLS?
Take a look:
https://support.f5.com/csp/article/K15022
CirrusDoes that mean that 12v doesnt support SSL anymore? sorry for my limited knowledge on F5 :)
CirrusIt´s not recommended.
You can try if that suite appears with:
tmm --clientciphers NATIVE
If it´s there you can configure it in the VS.
If it´s not, you can´t.
Br