Forum Discussion

ottleydamian's avatar
ottleydamian
Icon for Cirrus rankCirrus
Jun 20, 2017

F5 ciphersuite syntax

Help me understand F5 ciphersuite syntax please: https://support.f5.com/csp/article/K13400   In the client-ssl ciphers syntax the article states that if you want to support TLS1.0 and SSL3.0 do th...
BIG-IP
security
TMOS
Kevin_K_51432's avatar
Kevin_K_51432
Historic F5 Account

Greetings,

 

I parsed through the responses and don't see that anyone's mentioned this yet, apologies if this has already been mentioned:

 

Note: When you use the ! symbol preceding a cipher, the SSL profile permanently removes the cipher from the cipher list, even if it is explicitly stated later in the cipher string. When you use the - symbol preceding a cipher, the SSL profile removes the cipher from the cipher list, but it can be added back to the cipher list if there are later options that allow it. For more information about building and viewing custom cipher lists, refer to K15194: Overview of the BIG-IP SSL/TLS cipher suite.

 

https://support.f5.com/csp/article/K13171

 

Hope this is helpful, thank you!

 

Kevin

 

ottleydamian's avatar
ottleydamian
Icon for Cirrus rankCirrus
Jun 26, 2017

Thanks Kevin,

 

Actually the ! symbol was the syntax that I did understand. What was tripping me up before was if I only wanted TLSv1.2 ie. no sslv3, no tlsv1.0 and no tlsv1.1 why did the syntax in the F5 article have "-TLSv1:-SSLv3". I was expecting "!TLSv1:!SSLv3" etc.

 

But though I can't fully understand all the intricacies of why it works, I at least am confident that it does work.