Forum Discussion
NimbostratusAmending clientssl ciphers with TMSH
Guys,
Hopefully someone has already covered this one but I have the following clientssl profile
ltm profile client-ssl pw_clientssl {
cert pw.bigip.test.com.crt
ciphers DEFAULT
defaults-from clientssl
key pw.bigip.test.com.key
}
with the default clientssl as follows:
ltm profile client-ssl clientssl {
alert-timeout 60
authenticate once
authenticate-depth 9
ca-file none
cache-size 262144
cache-timeout 3600
cert default.crt
chain none
ciphers DEFAULT
client-cert-ca none
crl-file none
handshake-timeout 60
key default.key
mod-ssl-methods disabled
mode enabled
options { dont-insert-empty-fragments }
passphrase none
peer-cert-mode ignore
renegotiate-max-record-delay 10
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation disabled
strict-resume disabled
unclean-shutdown enabled
}
I am wanting to test amending the ciphers from default to either of the following without success using tmsh.
HIGH:MEDIUM:!SSLv2 or -ALL:RC4:!SSLv2:!NULL:!ADH:!LOW:!EXP:+LSv1:+SSLv3:HIGH:MEDIUM
If i use the following:
tmsh modify ltm profile client-ssl pw_clientssl ciphers HIGH:MEDIUM:!SSLv2
tmsh modify ltm profile client-ssl pw_clientssl ciphers -ALL:RC4:!SSLv2:!NULL:!ADH:!LOW:!EXP:+LSv1:+SSLv3:HIGH:MEDIUM
I receive error: -bash: !SSLv2: event not found
Surely I can amend the ciphers string with TMSH?
Any ideas chaps as I've followed the tmsh documentation and there's nothing else I can currently think of?
6 Replies
PeteWSorted :)
The only way I can seem to do this is to drop straight into TMOS and paste the code in from there.
E.g.
admin@pw-bigip(Active)(tmos)
admin@pw-bigip(Active)(tmos) list ltm profile client-ssl pw_clientssl
ltm profile client-ssl pw_clientssl {
cert pw.bigip.test.com.crt
ciphers -ALL:RC4:!SSLv2:!NULL:!ADH:!LOW:!EXP:+TLSv1:+SSLv3:HIGH:MEDIUM
defaults-from clientssl
key pw.bigip.test.com.key
}
admin@pw-bigip(Active)(tmos) modify ltm profile client-ssl pw_clientssl ciphers HIGH:MEDIUM:!SSLv2
admin@pw-bigip(Active)(tmos) list ltm profile client-ssl pw_clientssl
ltm profile client-ssl pw_clientssl {
cert pw.bigip.test.com.crt
ciphers HIGH:MEDIUM:!SSLv2
defaults-from clientssl
key pw.bigip.test.com.key
}
admin@pw-bigip(Active)(tmos) modify ltm profile client-ssl pw_clientssl ciphers -ALL:RC4:!SSLv2:!NULL:!ADH:!LOW:!EXP:+TLSv1:+SSLv3:HIGH:MEDIUM
admin@pw-bigip(Active)(tmos) list ltm profile client-ssl pw_clientssl
ltm profile client-ssl pw_clientssl {
cert pw.bigip.test.com.crt
ciphers -ALL:RC4:!SSLv2:!NULL:!ADH:!LOW:!EXP:+TLSv1:+SSLv3:HIGH:MEDIUM
defaults-from clientssl
key pw.bigip.test.com.key
}
admin@pw-bigip(Active)(tmos)
Result :)- Try escaping the ! with a backslash in your tmsh command. Bash is attempting to perform history expansion when it sees the bang.
- PeteWPosted By Brent Blood on 04/10/2013 02:02 PM
Try escaping the ! with a backslash in your tmsh command. Bash is attempting to perform history expansion when it sees the bang.
Hmm interesting, didn't think of that cheers Brent will do :)
Chris_FPCirrus
I tried that and it didn't work. I had to do the following for mine - add the ' at the start and end of the cipher list tmsh modify ltm profile client-ssl clientsslprofile { ciphers '\!SSLv2\:\!EXPORT\:ECDHE\+AES\-GCM\:ECDHE\+AES\:ECDHE\+3DES\:RSA\+AES\-GCM\:RSA\+AES\:RSA\+3DES\:\-MD5\:\-SSLv3\:\-RC4\:\@SPEED' defaults-from clientssl }- PeteWInteresting .. i'll give that a go. I've noticed that it also depends on the base OS as 10.2.4 behaves differently to 11.2 to 11.6 .. go figure.
- Greg_Bray_36871
These work for me:
tmsh create ltm profile client-ssl my-ssl-profile defaults-from clientssl ciphers '!EXPORT:!SSLv3:!TLSv1:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:+TLSv1_1'
tmsh modify ltm profile client-ssl my-ssl-profile ciphers '!EXPORT:!SSLv3:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:+TLSv1_1'
So looks like only the first ! needs to be escaped
