Forum Discussion

kva_178637's avatar
kva_178637
Icon for Nimbostratus rankNimbostratus
Mar 09, 2015

Adding a new crypto set to the SSL Client Profile

I would like to add the support for the following ciphers to a specific SSL Client Profile on the LTM. I believe that I need to enter it into Configuration\Advanced\Ciphers in the new client profile....
application delivery
LTM
security
kva_178637's avatar
kva_178637
Icon for Nimbostratus rankNimbostratus
Mar 10, 2015

Hi Nitass, thank you very much for your answer. This helped me to resolve my issue!!!

When I try this command on our 11.4.1 system, I don't see any ECDHE with SHA256:

[xxxx@xxxxxxx-new:Active:Changes Pending] ~ tmm --clientciphers ECDHE:ECDSA:AES128:CBC:SHA256

   ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX

0: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA

1: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA

2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA

3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA

4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA

5: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA

6: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA

7: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA

8: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA

9: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA

10: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA

[xxxx@xxxxxxx-new:Active:Changes Pending] ~

I found this usefule: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-5-0/3.html Note: The following are not included in the DEFAULT cipher suite: The DHE cipher suites Elliptic curve ciphers with DSA

Since I am looking for something compatible with the device we have, I am also looking at DHE now: [xxxx@xxxxxxx-new:Active:Changes Pending] ~ tmm --clientciphers DHE

   ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX

0: 51 DHE-RSA-AES128-SHA 128 SSL3 Native AES SHA EDH/RSA

1: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA

2: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA

3: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA

4: 57 DHE-RSA-AES256-SHA 256 SSL3 Native AES SHA EDH/RSA

5: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA

6: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA

7: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA

8: 21 DHE-RSA-DES-CBC-SHA 64 SSL3 Native DES SHA EDH/RSA

9: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA

10: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA

11: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA

12: 22 DHE-RSA-DES-CBC3-SHA 192 SSL3 Native DES SHA EDH/RSA

13: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA

14: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA

15: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA

[xxxx@xxxxxxx-new:Active:Changes Pending] ~

One of the combinations that would make the system work is: TLS_DHE_RSA_WITH_AES_128_CBC_SHA The following looked like they could work (since I read someplace that the CBC is optional normally), so I tested using DHE.

0: 51 DHE-RSA-AES128-SHA 128 SSL3 Native AES SHA EDH/RSA

1: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA

2: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA

3: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA

I found that this works for me.

Thank you for all your help.