Forum Discussion
NetworkTeam_178
Nimbostratus
NimbostratusCipher Suite Ordering
I need to order my ciphers in a very specific way.
Using this command 'tmm --clientciphers 'ECDHE+AES-GCM:ECDHE+AES:'
I get;
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
- 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
- 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
- 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
- 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
- 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
- 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
- 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
- 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
- 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
- 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
What I need, however, is;
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-SHA384
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-CBC-SHA
- ECDHE-RSA-AES128-CBC-SHA
- AES256-GCM-SHA384
- AES128-GCM-SHA256
- AES256-SHA256
- AES128-SHA256
- AES256-SHA
- AES128-SHA
Which means moving line 7 in the original to line 4.
How can I specify the EXACT order I want them in?
Thanks in advance
David_StoutThe question doesn't fully make sense as you have 10 ECDHE Ciphers in the first list and 6 in the second list. Also there are none ECDHE Ciphers listed in the second list so while the question about ordering makes sense, the examples given don't match up. Looks like you want to swap an ECDHE Cipher for an DHE Cipher in the ordering but why would you want to do that ?
Just asking the questions to try and work out what the end game should be :)
NetworkTeam_178Apologies, copy and paste was wrong!
This is the list I currently have;
- 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
- 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
- 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
- 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
- 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
- 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
- 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
- 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
- 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
- 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
- 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
- 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
- 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
- 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
This is the list I require for a customer who is adamant they want the list as below;
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-SHA384
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-CBC-SHA
- ECDHE-RSA-AES128-CBC-SHA
- AES256-GCM-SHA384
- AES128-GCM-SHA256
- AES256-SHA256
- AES128-SHA256
- AES256-SHA
- AES128-SHA
Which means moving line 5 in the first list, up to line 3 so that the CBC-SHA ciphers are grouped together. I can then remove the two entries in the top list easy enough, the question is mainly about ordering the list.
- David_Stout
Their list doesn't detail TLS versions required but technically you can list the suites in a long winded format like this ---
tmm --clientciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!SSLv3:!DTLSv1'Giving this list
ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 5: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 6: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 8: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 9: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 10: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 11: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 12: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 13: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 14: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 15: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 16: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 17: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 18: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 19: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA