Forum Discussion

Hugo_van_der_K1's avatar
Hugo_van_der_K1
Icon for Altostratus rankAltostratus
Mar 06, 2020

How to build very specific Cipher string?

How can I specify a very specific Cipher string? The object is to only allow the ciphers below and offer them in this specific order.   TLS13-AES256-GCM-SHA384/TLS1.3 TLS13-CHACHA20-POLY1305-SH...
BIG-IP
cipher
LTM
security
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Mar 10, 2020
'TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!TLSv1:!TLSv1_1'
# tmm --clientciphers 'TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!TLSv1:!TLSv1_1'
       ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
 0:  4866  TLS13-AES256-GCM-SHA384          256  TLS1.3  AES-GCM             NULL    *
 1:  4867  TLS13-CHACHA20-POLY1305-SHA256   256  TLS1.3  CHACHA20-POLY1305   NULL    *
 2:  4865  TLS13-AES128-GCM-SHA256          128  TLS1.3  AES-GCM             NULL    *
 3: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  AES-GCM             SHA384  ECDHE_ECDSA
 4: 52393  ECDHE-ECDSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_ECDSA
 5: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  AES-GCM             SHA256  ECDHE_ECDSA
 6: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  AES-GCM             SHA384  ECDHE_RSA
 7: 52392  ECDHE-RSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_RSA
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  AES-GCM             SHA256  ECDHE_RSA
 9: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  AES                 SHA     ECDHE_RSA
10: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES                 SHA     ECDHE_RSA
  • Jean-Michel_Aud's avatar
    Jean-Michel_Aud
    Icon for Nimbostratus rankNimbostratus
    Mar 12, 2020

    I removed the CBC Ciphers to be compliant with SSL Labs weak ciphers list :

     

    TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1:!TLSv1_1

    • Simon_Blakely's avatar
      Simon_Blakely
      Icon for Employee rankEmployee
      Mar 12, 2020

      In general, I would make the same recommendation, but the original request was for a specific set of ciphers. There are still some older clients that require CBC ciphers, and cannot be upgraded easily (embedded devices like Smart Meters, for example).