cipher help

Hi, Thanks for the reply .

If the BOX does not support "ECDH+AESGCM" suite ,what is the point adding in profile . How do I make sure that box support ECDH+AESGCM

Thanks

ECDH+AESGCM is not a valid keyword for configuration...

[root@bip-02:Active:Standalone] config  tmm --clientciphers "ECDH+AESGCM"
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX

If you really want to match ECDH with AES and GCM, your closest match would be just "AES-GCM" option which would give you all of the following (exact list depends on your BigIP version):

 [root@bip-02:Active:Standalone] config  tmm --clientciphers "AES-GCM"
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 2:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  DHE/DSS
 3:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA
 4:   167  ADH-AES256-GCM-SHA384            256  TLS1.2  Native  AES-GCM   SHA384  ADH
 5: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM   SHA384  ECDH_RSA
 6: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM   SHA384  ECDH_ECDSA
 7:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 9: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
10:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  DHE/DSS
11:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  EDH/RSA
12:   166  ADH-AES128-GCM-SHA256            128  TLS1.2  Native  AES-GCM   SHA256  ADH
13: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM   SHA256  ECDH_RSA
14: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM   SHA256  ECDH_ECDSA
15:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA

To reduce complexity, I recommend you configure your ciphers as exclusive derivative of ALL or DEFAULT.

First see what the ALL or DEFAULT is for your BigIP version like this:

tmm --clientciphers "ALL"

Then start excluding the junk you do not like with minus (-) signs or exclamation marks (!). The final result will not be as long and bulky as in case of inclusive configuration.

I.e.

tmm --clientciphers "ALL:-SHA1"

See my answer in this thread for cipher ideas for version 11.5.x for PCI compliance https://devcentral.f5.com/questions/pci-cipher-set

Hi, Now I am getting clear in the subject . Let me ask you why "tmm --clientciphers "ECDH+AESGCM" does it mean BIG ip does not support this ?

or If i rephrase the question "ECDH+AESGCM" and "AES-GCM" are same ?

What does this command exactly doing ?

tmm --clientciphers 'ALL:!EXPORT:!RC4:!DES:!ADH:!EDH:!SSLv3:!TLSv1:!SHA1'

This will remove !RC4 from the box forever ?

Thanks

BigIP does support ECDH with AES and GCM. If you observe the list of my output above, cipher suites 5, 6, 13 and 14 are examples of this. Problem is the syntax matching - unfortunately "ECDH" is not a supported keyword you could use in your configurations. It's a pity because there many supported ECDH suites.

It's not exactly the same syntax as in case of Apache web servers, you cannot copy Apache CIPHER config to BigIP. It won't work. You will have to play around with other options and use those that work to reach your desired outcome.

Hi, Thanks a million .It is clear now .

Here is what I got tmm --clientciphers "DEFAULT"

tmm --clientciphers "ALL" is a long list

1 ) Why there is ALL and default , 2 ) Since i am using default (ciphers DEFAULT) , I don't need to care about all ?

3 ) What does this command exactly doing ? 4) tmm --clientciphers 'ALL:!EXPORT:!RC4:!DES:!ADH:!EDH:!SSLv3:!TLSv1:!SHA1'

5 )The above command will remove !RC4 from the box forever ?

Thanks

1 ) Why there is ALL and default

ALL is the list of all supported ciphers. DEFAULT is the list of ciphers in the standard SSL profile, and provides a combination of useful and generally supported ciphers.

There are ciphers in ALL that are not recommended for general use. They are provided because they may be used in some specific circumstances.

2 ) Since i am using default (ciphers DEFAULT) , I don't need to care about all ?

You should always evaluate the ciphers supported in DEFAULT and compare them to your requirements. For example, DEFAULT may not provide a sufficiently strong score against an external ranking system like Qualsys (due to the wider range of ciphers provided for client compatibility).

3 ) What does this command exactly doing ?

4) tmm --clientciphers 'ALL:!EXPORT:!RC4:!DES:!ADH:!EDH:!SSLv3:!TLSv1:!SHA1'

From the ALL list of available ciphers, remove the following * EXPORT quality ciphers (EXPORT ciphers are weakened ciphers with smaller keys)

• RC4 based ciphers (a stream cipher that is no longer considered secure)

• DES based ciphers that are now considered insecure

• AHD Anonymous Diffie-Hellman is an unauthenticated Diffie-Hellman exchange, and should not be used.

• EDH Ephemeral Diffie-Hellman exchange. On LTM these are DHE_* ciphers. Some implementations of 1024-bit DHE are considered weak because they use common parameters allowing a pregenerated parameter attack. The F5 implementation of 1024-bit DHE is not susceptible to this because the parameters are regenerated hourly.

• SSLv3 This excludes ciphers that support the SSLv3 SSL/TLS protocol version - SSLv3 has weaknesses and should not be used.

• TLSv1 This excludes ciphers that support the TLSv1.0 SSL/TLS protocol version

• SHA1 This excludes ciphers that use the SHA1 cryptographic hash

K13171: Configuring the cipher strength for SSL profiles explains the difference between

!

-

5 )The above command will remove !RC4 from the box forever ?

It removes RC4 from the specific clientSSL profile.

N.B. - do not modify the default clientssl profile directly. Create a new profile with your customized cipher string, and use the new profile as the parent for your specific clientSSL profiles.

Hi,

tmm --clientciphers 'DEFAULT:!EXPORT:!RC4:!DES:!ADH:!EDH:!SSLv3:!TLSv1:!SHA1'

let's say I am executing the above command in cli , we have not mention anything about client profile . So what will happen ?

Thanks

tmm --clientciphers "cipherstring" just informs you how tmm will interpret the cipherstring when it is applied to a clientssl profile. It does not make any changes to the system.

Hi, I was just comparing ALL and DEFAULT output .But none of them matching ? I was thinking DEFAULT is the filtered version of 'ALL'

Please correct me if I am wrong ?

2 ) The below is from 'DEFAULT'
 6:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA  

 If I want to remove AES128-SHA  from DEFAULT CIPHERS and assign to client profile 
 How it would look  like 


ltm profile client-ssl test {
app-service none
cert digicert.crt
cert-key-chain {
    digicert {
        cert digicert.crt
        chain digicertchain.crt
        key digicert.key
    }
}
chain gdigicertchain.crt

defaults-from clientssl (Now it is inherit from the clientssl profile 

* so I am adding this line* 

    ciphers DEFAULT:-AES128-SHA'



inherit-certkeychain false
key digicert.key
passphrase none


  Please help 

  Thanks

I was just comparing ALL and DEFAULT output .But none of them matching ?

They should match, but the output of

tmm --clientciphers

If I want to remove AES128-SHA from DEFAULT CIPHERS and assign to client profile

You can test this easily using the following commands:

tmm --clientciphers 'DEFAULT' | grep "AES128-SHA"

tmm --clientciphers 'AES128-SHA

Then with your proposed cipher string:

tmm --clientciphers 'DEFAULT:-AES128-SHA' | grep "AES128-SHA"

You should see that the ciphers named AES128-SHA are no longer included.

DEFAULT:-AES+SHA

ECDH-RSA-AES128-SHA

ECDH-ECDSA-AES128-SHA

...

Testing with

tmm --clientciphers 'AES+SHA'