Forum Discussion
NimbostratusHow to prioritize cipher suites on F5
Can i prioritize the cipher suites in the ssl profile. For example if I have the following 4 cipher suites, how do I arrange them based on priority. I want them in following order where 1 is the highest priority and 4 is the lowest?
1 - RSA_WITH_RC4_128_SHA 2 - RSA_WITH_AES_256_CBC_SHA 3 - RSA_WITH_AES_128_CBC_SHA 4 - RSA_WITH_3DES_EDE_CBC_SHA
22 Replies
TechgeeegActually I already did that but it puts the ciphers in the order of no. of bits like first it will put all 256 then 192 then 128 n so on.... but not in the order of PFS
Brad_ParkerCirrus
will order the ciphers as requested.'RSA+RC4-SHA:AES256-SHA:AES128-SHA:RSA+3DES'tmm --clientciphers 'RSA+RC4-SHA:AES256-SHA:AES128-SHA:RSA+3DES' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 2: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA 3: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 4: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 6: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 7: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 8: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 9: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 10: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 11: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 12: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 13: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 14: 10 DES-CBC3-SHA 168 SSL3 Native DES SHA RSA 15: 10 DES-CBC3-SHA 168 TLS1 Native DES SHA RSA 16: 10 DES-CBC3-SHA 168 TLS1.1 Native DES SHA RSA 17: 10 DES-CBC3-SHA 168 TLS1.2 Native DES SHA RSA 18: 10 DES-CBC3-SHA 168 DTLS1 Native DES SHA RSAPFS would be prioritized by specifying cipher suites that are PFS first. @STRENGTH really isn't valid any more as it just orders based on bits, not cipher suite. @SPEED is similar as it orders it by smallest bit to largest. i.e.
'!EXPORT:!SSLv3:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES'tmm --clientciphers '!EXPORT:!SSLv3:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 5: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 6: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 8: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 9: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 10: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA 11: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.1 Native DES SHA ECDHE_RSA 12: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1.2 Native DES SHA ECDHE_RSA 13: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 14: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 15: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 16: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 17: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 18: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 19: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 20: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 21: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 22: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 23: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 24: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 25: 10 DES-CBC3-SHA 168 TLS1 Native DES SHA RSA 26: 10 DES-CBC3-SHA 168 TLS1.1 Native DES SHA RSA 27: 10 DES-CBC3-SHA 168 TLS1.2 Native DES SHA RSA 28: 10 DES-CBC3-SHA 168 DTLS1 Native DES SHA RSA- Techgeeeg
Hi Brad,
Thanks for the reply..... so what I believe is that by PFS Preference the ciphers can't be set on F5.
- Brad_ParkerWhat do you mean by that? The order show above is the preference order with the F5 preferring The ciphers listed first.
Techgeeeg_28888Hi Brad,
Thanks for the reply..... so what I believe is that by PFS Preference the ciphers can't be set on F5.
- Brad_ParkerWhat do you mean by that? The order show above is the preference order with the F5 preferring The ciphers listed first.
- Techgeeeg_28888
Hi Brad,
Apologies if I didnt get your above reply, my query was that I want to set the ciphers in the order that the the Ciphers which offer PFS should come first and than the ones which don't offer PFS. So is it possible to do this on F5? does your above reply show the ciphers set in the same order that the ciphers which order PFS are placed first and the ones which don't offer this are placed below??
- Brad_ParkerYes, the string above prioritizes PFS over non-PFS. Anything that contains ECDHE or DHE are PFS. Everything else, is not.
- Techgeeeg
Hi Brad,
Apologies if I didnt get your above reply, my query was that I want to set the ciphers in the order that the the Ciphers which offer PFS should come first and than the ones which don't offer PFS. So is it possible to do this on F5? does your above reply show the ciphers set in the same order that the ciphers which order PFS are placed first and the ones which don't offer this are placed below??
- Brad_ParkerYes, the string above prioritizes PFS over non-PFS. Anything that contains ECDHE or DHE are PFS. Everything else, is not.
- Techgeeeg
Hi Brad,
Thanks man that did the job now I only have 128 bit and 256 bits in the list I also want to include the 192 bit ciphers in the list so is it possible or they all use may be 3DES my current cipher string is as under
!EXPORT:!SSLv3:!SSLv2:!DTLSv1:!MD5:!RC4:!TLSv1:!3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES- Brad_ParkerWell the 192bit ciphers are 3DES and in actuality they are 168 since only the first 56bits are used in each key. Then the first key is reused as the third key making it only effectively a 112bit cipher. This is why 3DES is losing favorability as being secure. I know it's a very simplified explanation but 192bit 3DES is now only considered to be effectively 112bits.
- Techgeeeg_28888
Hi Brad,
Thanks man that did the job now I only have 128 bit and 256 bits in the list I also want to include the 192 bit ciphers in the list so is it possible or they all use may be 3DES my current cipher string is as under
!EXPORT:!SSLv3:!SSLv2:!DTLSv1:!MD5:!RC4:!TLSv1:!3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES- Brad_ParkerWell the 192bit ciphers are 3DES and in actuality they are 168 since only the first 56bits are used in each key. Then the first key is reused as the third key making it only effectively a 112bit cipher. This is why 3DES is losing favorability as being secure. I know it's a very simplified explanation but 192bit 3DES is now only considered to be effectively 112bits.
- Techgeeeg
Thanks Brad
