Forum Discussion
NimbostratusAssistance in cipher
Hi All
Need assistance to enable below standards in SSL enabled VIP
Standardize configuration for SSL enabled external sites to use industry best practices, such as: - Use only AES -256 ciphers - Use only strong hashing with a minimum of SHA1 - Set all systems to TLS v1.2 - Disable SSLv2 and SSLv3
Kindly advice which are the steps to be used to meet above standards
my bigip ver : LTM : BIG-IP 11.2.1 Build 862.0 Hotfix HF2
6 Replies
Vitaliy_SavransNacreous
Hi, I think this link will be useful for you https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html
Rajendran2002_1looks the link is not valid.. Kindly share the right link
- Kevin_Stewart
Employee
So what you're looking at is the cipher string that makes up the DEFAULT stack on any given platform. For 11.2 the DEFAULT stack is:
NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:@SPEEDwhich negated things like DES and MD5 but still supports SSLv3. At a minimum you'll want to extend this to negate SSLv2 and SSLv3:
DEFAULT:!SSLv2:!SSLv3But your absolute best bet is to upgrade your system to at least 11.5.0 with all of the hotfixes.
- Rajendran2002_1
I want to perform
AES -256 ciphers - Use only strong hashing with a minimum of SHA1 - Set all systems to TLS v1.2 - Disable SSLv2 and SSLv3
will below command on cipher option works?
DEFAULT:AES256-SHA:!SSLv2:!SSLv3:!TLSv1_0
- Kevin_Stewart
I don't have an 11.2 system in front of me to test, but you can do the following from the BIG-IP command line:
tmm --clientciphers 'DEFAULT:AES256-SHA:!SSLv2:!SSLv3:!TLSv1_0'This will produce a list of cipher strings (in the DEFAULT stack) that meet these qualifications. You should be able to check for your requirements from within this list.
