For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hugo_van_der_K1's avatar
Hugo_van_der_K1
Icon for Altostratus rankAltostratus
Mar 06, 2020

How to build very specific Cipher string?

How can I specify a very specific Cipher string?

The object is to only allow the ciphers below and offer them in this specific order.

 

TLS13-AES256-GCM-SHA384/TLS1.3

TLS13-CHACHA20-POLY1305-SHA256/TLS1.3

TLS13-AES128-GCM-SHA256/TLS1.3

ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2

ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2

ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2

ECDHE-RSA-AES256-GCM-SHA384/TLS1.2

ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2

ECDHE-RSA-AES128-GCM-SHA256/TLS1.2

ECDHE-RSA-AES256-CBC-SHA/TLS1.2

ECDHE-RSA-AES128-CBC-SHA/TLS1.2

 

Is this possible at all?

BIG-IP
cipher
LTM
security

3 Replies

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Mar 10, 2020
    'TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!TLSv1:!TLSv1_1'
    # tmm --clientciphers 'TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!TLSv1:!TLSv1_1'
       ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
 0:  4866  TLS13-AES256-GCM-SHA384          256  TLS1.3  AES-GCM             NULL    *
 1:  4867  TLS13-CHACHA20-POLY1305-SHA256   256  TLS1.3  CHACHA20-POLY1305   NULL    *
 2:  4865  TLS13-AES128-GCM-SHA256          128  TLS1.3  AES-GCM             NULL    *
 3: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  AES-GCM             SHA384  ECDHE_ECDSA
 4: 52393  ECDHE-ECDSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_ECDSA
 5: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  AES-GCM             SHA256  ECDHE_ECDSA
 6: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  AES-GCM             SHA384  ECDHE_RSA
 7: 52392  ECDHE-RSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_RSA
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  AES-GCM             SHA256  ECDHE_RSA
 9: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  AES                 SHA     ECDHE_RSA
10: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES                 SHA     ECDHE_RSA
    • Jean-Michel_Aud's avatar
      Jean-Michel_Aud
      Icon for Nimbostratus rankNimbostratus
      Mar 12, 2020

      I removed the CBC Ciphers to be compliant with SSL Labs weak ciphers list :

       

      TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1:!TLSv1_1

      • Simon_Blakely's avatar
        Simon_Blakely
        Icon for Employee rankEmployee
        Mar 12, 2020

        In general, I would make the same recommendation, but the original request was for a specific set of ciphers. There are still some older clients that require CBC ciphers, and cannot be upgraded easily (embedded devices like Smart Meters, for example).