cipher help

Hi, BIG IP 11.5

I have the following profile

ltm profile client-ssl clientssl {

alert-timeout 10
app-service none
authenticate once
authenticate-depth 9
ca-file none
cache-size 262144
cache-timeout 3600
cert default.crt
cert-extension-includes { basic-constraints subject-alternative-name }
cert-key-chain {
    default {
        cert default.crt
        key default.key
    }
}
chain none
ciphers DEFAULT
client-cert-ca none
crl-file none
handshake-timeout 10
inherit-certkeychain false
key default.key
mod-ssl-methods disabled
mode enabled
options { dont-insert-empty-fragments }
passphrase none
peer-cert-mode ignore
renegotiate-max-record-delay indefinite
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
secure-renegotiation require
strict-resume disabled
unclean-shutdown enabled



ltm profile client-ssl test {
app-service none
cert digicert.crt
cert-key-chain {
    digicert {
        cert digicert.crt
        chain gdigicertchain.crt
        key digicert.key
    }
}
chain gdigicertchain.crt
defaults-from clientssl
inherit-certkeychain false
key digicert.key
passphrase none

}

I need to change the cipher suite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"

If I change ' CIPHER' in the test profile does it work ? .Or Need to do something else .

ltm profile client-ssl test {

app-service none
cert digicert.crt
cert-key-chain {
    digicert {
        cert digicert.crt
        chain gdigicertchain.crt
        key digicert.key
    }
}
chain gdigicertchain.crt
**ciphers DEFAULT:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS**
defaults-from clientssl
inherit-certkeychain false
key digicert.key
passphrase none

}

application delivery

BIG-IP

Hannes_Rapp
Nimbostratus
Nov 12, 2017
Yup, apply custom cipher configuration to your custom profile, or even better, refer to model below. I've found it's best to leave default vendor profiles untouched at all times. But I also do not want to waste time repeating same custom settings across many app-specific profiles. So I found 3-tiered models work the best. Here's what I do:

clientssl
(vendor default). Always untouched
clientssl_base
(defaults-from clientssl). Here I apply my custom configurations to be used across all app-specific profiles. Advantage of having this profile - I only have to define my custom configurations, i.e. preferred cipher suites just once without having to alter vendor defaults.
clientssl_appspecific
. (defaults-from clientssl_base). This profile has application-specific TLS cert/key pair attached to it, cipher configuration and all other settings are derived from clientssl_base profile.
- bluestar007_339
  Nimbostratus
  Nov 12, 2017
  Hi, Thanks for the reply .
  
  If the BOX does not support "ECDH+AESGCM" suite ,what is the point adding in profile . How do I make sure that box support ECDH+AESGCM
  
  Thanks
- Hannes_Rapp
  Nimbostratus
  Nov 12, 2017
  ECDH+AESGCM is not a valid keyword for configuration...
  
  [root@bip-02:Active:Standalone] config tmm --clientciphers "ECDH+AESGCM" ID SUITE BITS PROT METHOD CIPHER MAC KEYX
  
  If you really want to match ECDH with AES and GCM, your closest match would be just "AES-GCM" option which would give you all of the following (exact list depends on your BigIP version):
  
  [root@bip-02:Active:Standalone] config tmm --clientciphers "AES-GCM" ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_ECDSA 2: 163 DHE-DSS-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 DHE/DSS 3: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 4: 167 ADH-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ADH 5: 49202 ECDH-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_RSA 6: 49198 ECDH-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_ECDSA 7: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 9: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA 10: 162 DHE-DSS-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 DHE/DSS 11: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 12: 166 ADH-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ADH 13: 49201 ECDH-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_RSA 14: 49197 ECDH-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_ECDSA 15: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA
  
  To reduce complexity, I recommend you configure your ciphers as exclusive derivative of ALL or DEFAULT.
  
  First see what the ALL or DEFAULT is for your BigIP version like this:
  
  tmm --clientciphers "ALL"
  
  Then start excluding the junk you do not like with minus (-) signs or exclamation marks (!). The final result will not be as long and bulky as in case of inclusive configuration.
  
  I.e.
  tmm --clientciphers "ALL:-SHA1"
  
  See my answer in this thread for cipher ideas for version 11.5.x for PCI compliance https://devcentral.f5.com/questions/pci-cipher-set
- bluestar007_339
  Nimbostratus
  Nov 12, 2017
  Hi, Now I am getting clear in the subject . Let me ask you why "tmm --clientciphers "ECDH+AESGCM" does it mean BIG ip does not support this ?
  
  or If i rephrase the question "ECDH+AESGCM" and "AES-GCM" are same ?
  
  What does this command exactly doing ?
  
  tmm --clientciphers 'ALL:!EXPORT:!RC4:!DES:!ADH:!EDH:!SSLv3:!TLSv1:!SHA1'
  
  This will remove !RC4 from the box forever ?
  
  Thanks
Hannes_Rapp_162
Nacreous
Nov 12, 2017
Yup, apply custom cipher configuration to your custom profile, or even better, refer to model below. I've found it's best to leave default vendor profiles untouched at all times. But I also do not want to waste time repeating same custom settings across many app-specific profiles. So I found 3-tiered models work the best. Here's what I do:

clientssl
(vendor default). Always untouched
clientssl_base
(defaults-from clientssl). Here I apply my custom configurations to be used across all app-specific profiles. Advantage of having this profile - I only have to define my custom configurations, i.e. preferred cipher suites just once without having to alter vendor defaults.
clientssl_appspecific
. (defaults-from clientssl_base). This profile has application-specific TLS cert/key pair attached to it, cipher configuration and all other settings are derived from clientssl_base profile.
- bluestar007_339
  Nimbostratus
  Nov 12, 2017
  Hi, Thanks for the reply .
  
  If the BOX does not support "ECDH+AESGCM" suite ,what is the point adding in profile . How do I make sure that box support ECDH+AESGCM
  
  Thanks
- Hannes_Rapp_162
  Nacreous
  Nov 12, 2017
  ECDH+AESGCM is not a valid keyword for configuration...
  ¬†
  
  [root@bip-02:Active:Standalone] config tmm --clientciphers "ECDH+AESGCM" ID SUITE BITS PROT METHOD CIPHER MAC KEYX
  
  If you really want to match ECDH with AES and GCM, your closest match would be just "AES-GCM" option which would give you all of the following (exact list depends on your BigIP version):
  ¬†
  
  [root@bip-02:Active:Standalone] config tmm --clientciphers "AES-GCM" ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_ECDSA 2: 163 DHE-DSS-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 DHE/DSS 3: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA 4: 167 ADH-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ADH 5: 49202 ECDH-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_RSA 6: 49198 ECDH-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_ECDSA 7: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 9: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA 10: 162 DHE-DSS-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 DHE/DSS 11: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 12: 166 ADH-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ADH 13: 49201 ECDH-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_RSA 14: 49197 ECDH-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_ECDSA 15: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA
  
  To reduce complexity, I recommend you configure your ciphers as exclusive derivative of ALL or DEFAULT.
  ¬†
  
  First see what the ALL or DEFAULT is for your BigIP version like this:
  ¬†
  
  tmm --clientciphers "ALL"
  ¬†
  
  Then start excluding the junk you do not like with minus (-) signs or exclamation marks (!). The final result will not be as long and bulky as in case of inclusive configuration.
  ¬†
  
  I.e.
  tmm --clientciphers "ALL:-SHA1"
  ¬†
  
  See my answer in this thread for cipher ideas for version 11.5.x for PCI compliance https://devcentral.f5.com/s/feed/0D51T00006i7cGzSAI
  ¬†
- bluestar007_339
  Nimbostratus
  Nov 12, 2017
  Hi, Now I am getting clear in the subject . Let me ask you why "tmm --clientciphers "ECDH+AESGCM" does it mean BIG ip does not support this ?
  
  or If i rephrase the question "ECDH+AESGCM" and "AES-GCM" are same ?
  
  What does this command exactly doing ?
  
  tmm --clientciphers 'ALL:!EXPORT:!RC4:!DES:!ADH:!EDH:!SSLv3:!TLSv1:!SHA1'
  
  This will remove !RC4 from the box forever ?
  
  Thanks

Forum Discussion

cipher help

Recent Discussions

How do I create a traffic log for two different route domains?

Http / https health monitor issue

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Need Urgent BIGIP Trial License and VM Image

APM for banner and cert

Related Content

Cipher Suite Practices and Pitfalls

LTM Cipher rule

Disabling Weak Ciphers

Disable below cipher

Cipher Suites Supported (12.1.5.3)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS