F5 ciphersuite syntax

Question

Help me understand F5 ciphersuite syntax please: https://support.f5.com/csp/article/K13400&nbsp;
In the client-ssl ciphers syntax the article states that if you want to support TLS1.0 and SSL3.0 do the following:&nbsp;
tmsh create /ltm profile client-ssl  ciphers DEFAULT:-SSLv3:-TLSv1:RC4-SHA&nbsp;
&nbsp;If you don't want to allow SSLv3 do the following:&nbsp;
tmsh create /ltm profile client-ssl  ciphers DEFAULT:!SSLv3:-TLSv1:RC4-SHA&nbsp;
&nbsp;that would make sense because the exclamation mark (!) negates that protocol.&nbsp;
In the same article to disable all protocols except TLS1.2 for management access the syntax is as follows:&nbsp;
modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'&nbsp;
Logic seems to suggest that this syntax is allowing protocols from SSLv3 and above. Meaning allow 'ALL' except those with the '!' and then explicitly allowing TLSv1 and SSLv3 (and above).&nbsp;
Since the article says I'm wrong how an I supposed to read this??? Confused!!! &nbsp;

vijay_e · Answer

When in doubt, try using and play with the cipher suite definition:
tmm --clientciphers 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:TLSv1:SSLv3:RC4-SHA'

ottleydamian · Answer

Despite what TMM showed in its output about I believe now that the syntax in the F5 article is CORRECT. I tested with the following commands:&nbsp;
openssl s_client -connect [IP ADDRESS]:443 -ssl3&nbsp;
openssl s_client -connect [IP ADDRESS]:443 -tls1&nbsp;
openssl s_client -connect [IP ADDRESS]:443 -tls1_1&nbsp;
openssl s_client -connect [IP ADDRESS]:443 -tls1_2&nbsp;
In the first 3 there was no negotiation but the last one accepted TLSv1.2. 
Note:I also noticed the syntax difference which might explain the difference in syntax for OpenSSL and TMM for TLSv1.2.&nbsp;

kevin_k_51432 · Answer

Greetings,&nbsp;
I parsed through the responses and don't see that anyone's mentioned this yet, apologies if this has already been mentioned:&nbsp;
Note: When you use the ! symbol preceding a cipher, the SSL profile permanently removes the cipher from the cipher list, even if it is explicitly stated later in the cipher string. When you use the - symbol preceding a cipher, the SSL profile removes the cipher from the cipher list, but it can be added back to the cipher list if there are later options that allow it. For more information about building and viewing custom cipher lists, refer to K15194: Overview of the BIG-IP SSL/TLS cipher suite.&nbsp;
https://support.f5.com/csp/article/K13171&nbsp;
Hope this is helpful, thank you!&nbsp;
Kevin&nbsp;

ottleydamian · Answer

Thanks Kevin,&nbsp;
Actually the ! symbol was the syntax that I did understand. What was tripping me up before was if I only wanted TLSv1.2 ie. no sslv3, no tlsv1.0 and no tlsv1.1 why did the syntax in the F5 article have "-TLSv1:-SSLv3". I was expecting "!TLSv1:!SSLv3" etc.&nbsp;
But though I can't fully understand all the intricacies of why it works, I at least am confident that it does work.&nbsp;

kevin_k_51432 · Answer

I think the only difference would be flexibility. Allow customers to add specific ciphers back in if they deem them necessary. For example, tlsv1 would work for DHE-RSA-DES-CBC3-SHA (if you needed that):
-TLSv1:-SSLv3:DHE-RSA-DES-CBC3-SHA

tlsv1 would not work for DHE-RSA-DES-CBC3-SHA (if you needed it):
!TLSv1:!SSLv3:DHE-RSA-DES-CBC3-SHA

Forum Discussion

F5 ciphersuite syntax

Recent Discussions

Earth Simnavaz

Problem with lets encrypt and redirect after update

Should config via cli rather than gui?

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

question about getting hsl data to be formatted properly in splunk

Related Content

Syntax of Get-F5.iControl.NetworkingVLAN.Begincreate_v2

show sync status: Syntax Error

Syntax for creating pool with multiple monitors

iControl syntax

F5 Backup

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS