Forum Discussion

kridsana's avatar
kridsana
Icon for Cirrocumulus rankCirrocumulus
Feb 24, 2022

How to find which cipher suit is used or not?

For example
we have cipher suite as below

ECDHE-RSA-AES128-GCM-SHA256 (0xc02f)SHA256
ECDHE-RSA-AES128-CBC-SHA (0xc013)SHA
ECDHE-RSA-AES128-SHA256 (0xc027)SHA256

How can we know which cipher suit is used or not used?

Can we see how many times that cipher suit is using?

I saw F5 keep statistic about ssl exchange key algorithm (ECDHE, DES, etc) but no statistics about specific cipher suit. 

application delivery
cipher
ssl
suit
  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Feb 28, 2022

    Hello, you can restrict cipher suites selection from your clientssl/serverssl profiles. 
    When you're tuning it, you can list the suites allowed by your string using bash command tmm --clientciphers <string> , ex. tmm --clientciphers "DEFAULT".

    With "@STRENGTH" syntax one can have the cipher negotiation start with the strongest cipher and progress to the weakest (example: "DEFAULT@STRENGTH" ).
    Here's an SSL cheatsheet by the way. 

    Best way to determine which one is negotiated is performing a packet capture. Or, log it with an iRule. 

     

     

     

    when CLIENTSSL_CLIENTHELLO {

    set client_ciphers [SSL::cipher clientlist]
    log local0. "Cipher suite ID's available for negotiation (client selection): $client_ciphers"
}

when CLIENTSSL_HANDSHAKE {
    set suite [SSL::cipher name]
    log local0. "Selected suite: $suite"
}