Forum Discussion

ottleydamian's avatar
ottleydamian
Icon for Cirrus rankCirrus
Jun 20, 2017

F5 ciphersuite syntax

Help me understand F5 ciphersuite syntax please: https://support.f5.com/csp/article/K13400   In the client-ssl ciphers syntax the article states that if you want to support TLS1.0 and SSL3.0 do th...
BIG-IP
security
TMOS
Kevin_K_51432's avatar
Kevin_K_51432
Historic F5 Account

Greetings,

 

I parsed through the responses and don't see that anyone's mentioned this yet, apologies if this has already been mentioned:

 

Note: When you use the ! symbol preceding a cipher, the SSL profile permanently removes the cipher from the cipher list, even if it is explicitly stated later in the cipher string. When you use the - symbol preceding a cipher, the SSL profile removes the cipher from the cipher list, but it can be added back to the cipher list if there are later options that allow it. For more information about building and viewing custom cipher lists, refer to K15194: Overview of the BIG-IP SSL/TLS cipher suite.

 

https://support.f5.com/csp/article/K13171

 

Hope this is helpful, thank you!

 

Kevin

 

Kevin_K_51432's avatar
Kevin_K_51432
Historic F5 Account
Jun 26, 2017

I think the only difference would be flexibility. Allow customers to add specific ciphers back in if they deem them necessary. For example, tlsv1 would work for DHE-RSA-DES-CBC3-SHA (if you needed that):

-TLSv1:-SSLv3:DHE-RSA-DES-CBC3-SHA

tlsv1 would not work for DHE-RSA-DES-CBC3-SHA (if you needed it):

!TLSv1:!SSLv3:DHE-RSA-DES-CBC3-SHA