Forum Discussion

kridsana's avatar
Icon for Cirrocumulus rankCirrocumulus
Feb 24, 2022

How to find which cipher suit is used or not?

For example
we have cipher suite as below

ECDHE-RSA-AES128-GCM-SHA256 (0xc02f)SHA256
ECDHE-RSA-AES128-SHA256 (0xc027)SHA256

How can we know which cipher suit is used or not used?

Can we see how many times that cipher suit is using?

I saw F5 keep statistic about ssl exchange key algorithm (ECDHE, DES, etc) but no statistics about specific cipher suit. 

1 Reply

  • Hello, you can restrict cipher suites selection from your clientssl/serverssl profiles. 
    When you're tuning it, you can list the suites allowed by your string using bash command tmm --clientciphers <string> , ex. tmm --clientciphers "DEFAULT".

    With "@STRENGTH" syntax one can have the cipher negotiation start with the strongest cipher and progress to the weakest (example: "DEFAULT@STRENGTH" ).
    Here's an SSL cheatsheet by the way. 

    Best way to determine which one is negotiated is performing a packet capture. Or, log it with an iRule. 




        set client_ciphers [SSL::cipher clientlist]
        log local0. "Cipher suite ID's available for negotiation (client selection): $client_ciphers"
        set suite [SSL::cipher name]
        log local0. "Selected suite: $suite"