Forum Discussion
CirrusF5 ciphersuite syntax
Greetings,
I parsed through the responses and don't see that anyone's mentioned this yet, apologies if this has already been mentioned:
Note: When you use the ! symbol preceding a cipher, the SSL profile permanently removes the cipher from the cipher list, even if it is explicitly stated later in the cipher string. When you use the - symbol preceding a cipher, the SSL profile removes the cipher from the cipher list, but it can be added back to the cipher list if there are later options that allow it. For more information about building and viewing custom cipher lists, refer to K15194: Overview of the BIG-IP SSL/TLS cipher suite.
https://support.f5.com/csp/article/K13171
Hope this is helpful, thank you!
Kevin
ottleydamianThanks Kevin,
Actually the ! symbol was the syntax that I did understand. What was tripping me up before was if I only wanted TLSv1.2 ie. no sslv3, no tlsv1.0 and no tlsv1.1 why did the syntax in the F5 article have "-TLSv1:-SSLv3". I was expecting "!TLSv1:!SSLv3" etc.
But though I can't fully understand all the intricacies of why it works, I at least am confident that it does work.
I think the only difference would be flexibility. Allow customers to add specific ciphers back in if they deem them necessary. For example, tlsv1 would work for DHE-RSA-DES-CBC3-SHA (if you needed that):
-TLSv1:-SSLv3:DHE-RSA-DES-CBC3-SHAtlsv1 would not work for DHE-RSA-DES-CBC3-SHA (if you needed it):
!TLSv1:!SSLv3:DHE-RSA-DES-CBC3-SHA- ottleydamian
Thanks,
The missed question/answer in all this was how does the following syntax ONLY allow TLSv1.2:
'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'
Or put another way, when you read that syntax, what specifically prevents ciphers that use TLSv1.1 or TLS1.0 or even SSLv3 from being used?
"what specifically prevents ciphers that use TLSv1.1 or TLS1.0 or even SSLv3 from being used?"
This string: !SSLv2:-TLSv1:-SSLv3 should not prevent TLS1.1 (I wouldn't expect that reading the title of the CVE). But it should:
Do not allow SSLv2 ever -> !SSLv2 Do not allow tlsv1, but add back later: -> -TLSv1 Do not allow sslv3, but add back later: -> -SSLv3
Hope this helps,
Kevin- ottleydamian
- In the article there is a section titled: Restricting the Configuration utility to use only TLS 1.2 compatible or RC4-SHA ciphers The first subsection shows explicit details on how to ONLY allow TLSv1.2. There is where I got the syntax from.
- I tested the syntax using openssl s_client -connect (see above) and saw evidence that tlsv1.0, tls1.1 was NOT ALLOWED to connect. Only tlsv1.1.
So the question was how do you achieve this from reading the syntax?
What I now understand is that since the '-' means that ciphers are deleted from the list but could be re added later and they were not re add then in essence they were deleted. There is no syntax for tls1.1 so it was also blocked by the -tls1 syntax. RC4-SHA was needed, that is why they used '-' and not !. Since the 'ALL' was used initially anything not explicitly denied is allowed. That is my understanding as to why the syntax works. If I'm wrong tell me.
Good day,
I just wanted to mention that I am taking a peek into this, but your testing seems to have confirmed that the syntax is working.Will let you know once I have something.
Thanks,
KevinGood day,
I was a bit thrown off by the tmm --clientciphers output and didn't realize this is actually for the UI. Oops. So two things to consider so far:1) You definitely would need to add TLSv1_1 to block tls1.1 using a client ssl profile. 2) It isn't apparent from my research why -TLSv1 blocks tlsv1 and tlsv1.1 in httpd (apache).
Adding -TLSv1.1 doesn't seem to affect anything in 11.x, but 10.x can't accept that option.
Does this help? I believe there's an anomaly here, though tested to work and tls1.1 isn't affected by beast, so this seems to simply be a question of "why does this work this way" and there doesn't as of yet seem an obvious answer.
If something comes up, I'll let you know.
Thank you,
Kevin
