Forum Discussion

edmonaft_351139's avatar
edmonaft_351139
Icon for Nimbostratus rankNimbostratus
Feb 07, 2018

Custom cipher suite

Can you help me set it up on an F5 running 12.1.2 HF1. I am following the cipher suite that is stated on this guide.

 

Here's the one I would like to use

 

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

 

The DEFAULT cipher suite shows weak cipher suites.

 

LTM
security
    • edmonaft_351139's avatar
      edmonaft_351139
      Icon for Nimbostratus rankNimbostratus
      Feb 07, 2018

      I've reviewed it. Just want to confirm validity of this document vs the current SSL recommendations as it was still published last 2015.

       

    • BAMcHenry's avatar
      BAMcHenry
      Ret. Employee
      Feb 07, 2018

      The SSL Labs list of ciphers to include and the order of priority is certainly the most accurate and updated.

       

      DEFAULT is set to the best balance of security and performance at the time of a given release. DEFAULT is updated with each release of TMOS. The Recommended Practices Guide covers how to customize the cipher string to meet updated standards as indicated by SSL Labs or other standards-setting bodies.

       

      Please check the section "Fine-Tuning Data Protection" starting on page 8 on how to build a cipher string to create the list of ciphers in your original post.

       

    • edmonaft_351139's avatar
      edmonaft_351139
      Icon for Nimbostratus rankNimbostratus
      Feb 23, 2018

      Based of the instruction, I see that it requires me to access F5 via SSH to enter this commands. I wonder if there's a way to do it via GUI? I am not too comfortable doing this via SSH.

       

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Feb 23, 2018

    The only reason you would need the CLI is to perform the 

    tmm --clientciphers
    command to detail what ciphers a string will create.

    How about this one? You then just need to add this to the cipher string in the clientssl profile

    tmm --clientciphers 'ECDHE_ECDSA:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:DHE+AES-GCM:DHE+AES:DHE+3DES:RSA+AESGCM:-MD5:-SSLv3:-RC4:-3DES'

       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
 1: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
 2: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1    Native  AES       SHA     ECDHE_ECDSA
 3: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 4: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
 5: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
 6: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
 7: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1    Native  AES       SHA     ECDHE_ECDSA
 8: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES       SHA     ECDHE_ECDSA
 9: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
10: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
11: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
12: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
13: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
14: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
15: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
16: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
17: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA
18: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA
19: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
20:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA
21:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  EDH/RSA
22:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  EDH/RSA
23:    57  DHE-RSA-AES256-SHA               256  TLS1    Native  AES       SHA     EDH/RSA
24:    57  DHE-RSA-AES256-SHA               256  TLS1.1  Native  AES       SHA     EDH/RSA
25:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA
26:    57  DHE-RSA-AES256-SHA               256  DTLS1   Native  AES       SHA     EDH/RSA
27:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  EDH/RSA
28:    51  DHE-RSA-AES128-SHA               128  TLS1    Native  AES       SHA     EDH/RSA
29:    51  DHE-RSA-AES128-SHA               128  TLS1.1  Native  AES       SHA     EDH/RSA
30:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES       SHA     EDH/RSA
31:    51  DHE-RSA-AES128-SHA               128  DTLS1   Native  AES       SHA     EDH/RSA

    By the way, you didn't specify TLS version so this includes all TLS versions. If you add -TLSv1 at the end that would disallow TLS 1.0

    Rgds N