Forum Discussion

bluestar007_339's avatar
bluestar007_339
Icon for Nimbostratus rankNimbostratus
Nov 12, 2017

cipher help

Hi, BIG IP 11.5 I have the following profile ltm profile client-ssl clientssl { alert-timeout 10 app-service none authenticate once authenticate-depth 9 ca-file none cache-size 262144 cache-...
application delivery
BIG-IP
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Nov 12, 2017

Yup, apply custom cipher configuration to your custom profile, or even better, refer to model below. I've found it's best to leave default vendor profiles untouched at all times. But I also do not want to waste time repeating same custom settings across many app-specific profiles. So I found 3-tiered models work the best. Here's what I do:

  1. clientssl
    (vendor default). Always untouched
  2. clientssl_base
    (defaults-from clientssl). Here I apply my custom configurations to be used across all app-specific profiles. Advantage of having this profile - I only have to define my custom configurations, i.e. preferred cipher suites just once without having to alter vendor defaults.
  3. clientssl_appspecific
    . (defaults-from clientssl_base). This profile has application-specific TLS cert/key pair attached to it, cipher configuration and all other settings are derived from clientssl_base profile.
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Nov 12, 2017

ECDH+AESGCM is not a valid keyword for configuration...

 

[root@bip-02:Active:Standalone] config  tmm --clientciphers "ECDH+AESGCM"
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX

If you really want to match ECDH with AES and GCM, your closest match would be just "AES-GCM" option which would give you all of the following (exact list depends on your BigIP version):

 

 [root@bip-02:Active:Standalone] config  tmm --clientciphers "AES-GCM"
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 2:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  DHE/DSS
 3:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA
 4:   167  ADH-AES256-GCM-SHA384            256  TLS1.2  Native  AES-GCM   SHA384  ADH
 5: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM   SHA384  ECDH_RSA
 6: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM   SHA384  ECDH_ECDSA
 7:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 9: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
10:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  DHE/DSS
11:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  EDH/RSA
12:   166  ADH-AES128-GCM-SHA256            128  TLS1.2  Native  AES-GCM   SHA256  ADH
13: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM   SHA256  ECDH_RSA
14: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM   SHA256  ECDH_ECDSA
15:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA

To reduce complexity, I recommend you configure your ciphers as exclusive derivative of ALL or DEFAULT.

 

First see what the ALL or DEFAULT is for your BigIP version like this:

 

tmm --clientciphers "ALL"

 

Then start excluding the junk you do not like with minus (-) signs or exclamation marks (!). The final result will not be as long and bulky as in case of inclusive configuration.

 

I.e. 

tmm --clientciphers "ALL:-SHA1"

 

See my answer in this thread for cipher ideas for version 11.5.x for PCI compliance https://devcentral.f5.com/s/feed/0D51T00006i7cGzSAI