How to build very specific Cipher string?

Question

How can I specify a very specific Cipher string?

The object is to only allow the ciphers below and offer them in this specific order.

TLS13-AES256-GCM-SHA384/TLS1.3

TLS13-CHACHA20-POLY1305-SHA256/TLS1.3

TLS13-AES128-GCM-SHA256/TLS1.3

ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2

ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2

ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2

ECDHE-RSA-AES256-GCM-SHA384/TLS1.2

ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2

ECDHE-RSA-AES128-GCM-SHA256/TLS1.2

ECDHE-RSA-AES256-CBC-SHA/TLS1.2

ECDHE-RSA-AES128-CBC-SHA/TLS1.2

Is this possible at all?

simon_blakely · Answer

'TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!TLSv1:!TLSv1_1'# tmm --clientciphers 'TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!TLSv1:!TLSv1_1'
       ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
 0:  4866  TLS13-AES256-GCM-SHA384          256  TLS1.3  AES-GCM             NULL    *
 1:  4867  TLS13-CHACHA20-POLY1305-SHA256   256  TLS1.3  CHACHA20-POLY1305   NULL    *
 2:  4865  TLS13-AES128-GCM-SHA256          128  TLS1.3  AES-GCM             NULL    *
 3: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  AES-GCM             SHA384  ECDHE_ECDSA
 4: 52393  ECDHE-ECDSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_ECDSA
 5: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  AES-GCM             SHA256  ECDHE_ECDSA
 6: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  AES-GCM             SHA384  ECDHE_RSA
 7: 52392  ECDHE-RSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_RSA
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  AES-GCM             SHA256  ECDHE_RSA
 9: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  AES                 SHA     ECDHE_RSA
10: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES                 SHA     ECDHE_RSA

jean-michel_aud · Answer

I removed the CBC Ciphers to be compliant with SSL Labs weak ciphers list :

TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1:!TLSv1_1

simon_blakely · Answer

In general, I would make the same recommendation, but the original request was for a specific set of ciphers. There are still some older clients that require CBC ciphers, and cannot be upgraded easily (embedded devices like Smart Meters, for example).

Forum Discussion

How to build very specific Cipher string?

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Cipher Suites Supported (12.1.5.3)

Cipher suite mismatch advertisement/warning

issue with irule redirecting with # string

Lightboard Lessons: What Are AEAD Ciphers?

Enforce Server Cipher proposal in preferred order

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS