Forum Discussion

bluestar007_339's avatar
bluestar007_339
Icon for Nimbostratus rankNimbostratus
Nov 12, 2017

cipher help

Hi, BIG IP 11.5 I have the following profile ltm profile client-ssl clientssl { alert-timeout 10 app-service none authenticate once authenticate-depth 9 ca-file none cache-size 262144 cache-...
application delivery
BIG-IP
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Nov 12, 2017

Yup, apply custom cipher configuration to your custom profile, or even better, refer to model below. I've found it's best to leave default vendor profiles untouched at all times. But I also do not want to waste time repeating same custom settings across many app-specific profiles. So I found 3-tiered models work the best. Here's what I do:

  1. clientssl
    (vendor default). Always untouched
  2. clientssl_base
    (defaults-from clientssl). Here I apply my custom configurations to be used across all app-specific profiles. Advantage of having this profile - I only have to define my custom configurations, i.e. preferred cipher suites just once without having to alter vendor defaults.
  3. clientssl_appspecific
    . (defaults-from clientssl_base). This profile has application-specific TLS cert/key pair attached to it, cipher configuration and all other settings are derived from clientssl_base profile.
bluestar007_339's avatar
bluestar007_339
Icon for Nimbostratus rankNimbostratus
Nov 12, 2017

Hi, Now I am getting clear in the subject . Let me ask you why "tmm --clientciphers "ECDH+AESGCM" does it mean BIG ip does not support this ?

 

or If i rephrase the question "ECDH+AESGCM" and "AES-GCM" are same ?

 

What does this command exactly doing ?

 

tmm --clientciphers 'ALL:!EXPORT:!RC4:!DES:!ADH:!EDH:!SSLv3:!TLSv1:!SHA1'

 

This will remove !RC4 from the box forever ?

 

Thanks