For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bluestar007_339's avatar
bluestar007_339
Icon for Nimbostratus rankNimbostratus
Nov 14, 2017

cipher suite -adding and removing

Hi, The below statement are really confusing . Does it mean even listing will remove the cipher suite from the machine ?   For example, to remove a cipher from the cipher list, even if it is expl...
application delivery
BIG-IP
Kevin_K_51432's avatar
Kevin_K_51432
Historic F5 Account
Nov 14, 2017

Greetings,

I hope this makes sense, here goes:

If you use this syntax, all of the ciphers using RSA KEYX will be removed from the cipher list.

tmm --clientciphers 'DEFAULT:!RSA'

Let say, you'd like to include this cipher for some reason, but only this one:

DES-CBC3-SHA

If you used the ! filter, you would be unable to add that cipher only back:

tmm --clientciphers 'DEFAULT:!RSA:DES-CBC3-SHA' | grep ' DES-CBC3-SHA'

So using the - filter, allows you to add only that cipher back, but keep the others filtered out:

tmm --clientciphers 'DEFAULT:-RSA:DES-CBC3-SHA' | grep ' DES-CBC3-SHA'
48:    10  DES-CBC3-SHA                     168  TLS1    Native  DES       SHA     RSA
49:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA
50:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA
51:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA
52:    10  DES-CBC3-SHA                     168  SSL3    Native  DES       SHA     RSA

Hope this is helpful!

Kevin
bluestar007_339's avatar
bluestar007_339
Icon for Nimbostratus rankNimbostratus
Nov 14, 2017
Hi,

ltm profile client-ssl test {
app-service none
cert digicert.crt
cert-key-chain {
    digicert {
        cert digicert.crt
        chain gdigicertchain.crt
        key digicert.key
    }
}
chain gdigicertchain.crt
defaults-from clientssl
inherit-certkeychain false
key digicert.key
passphrase none

}

  1. If I have client profile like above ,which is inheriting from the cientssl profile (client ssl profile uses ciphers DEFAULT")

Now I decided to alter the DEFAULT for profile 'test',Just to remove 'DES-CBC3-SHA' ,the below profile will work ? 

ltm profile client-ssl test {
app-service none
cert digicert.crt
cert-key-chain {
    digicert {
        cert digicert.crt
        chain gdigicertchain.crt
        key digicert.key
    }
}
chain gdigicertchain.crt
**ciphers 'DEFAULT:!RSA:DES-CBC3-SHA'** 

defaults-from clientssl
inherit-certkeychain false
key digicert.key
passphrase none

}

2.Let's say I used ' ciphers 'DEFAULT:!RSA' and later on decided to bring all RSA back , reverting the string from 'DEFAULT:!RSA' to 'ciphers 'DEFAULT' will help

Thanks