Forum Discussion
NimbostratusHow to prioritize cipher suites on F5
Can i prioritize the cipher suites in the ssl profile. For example if I have the following 4 cipher suites, how do I arrange them based on priority. I want them in following order where 1 is the highest priority and 4 is the lowest?
1 - RSA_WITH_RC4_128_SHA 2 - RSA_WITH_AES_256_CBC_SHA 3 - RSA_WITH_AES_128_CBC_SHA 4 - RSA_WITH_3DES_EDE_CBC_SHA
22 Replies
TechgeeegHi Brad,
Thanks for the reply..... so what I believe is that by PFS Preference the ciphers can't be set on F5.
Brad_ParkerCirrus
What do you mean by that? The order show above is the preference order with the F5 preferring The ciphers listed first.
Techgeeeg_28888Hi Brad,
Thanks for the reply..... so what I believe is that by PFS Preference the ciphers can't be set on F5.
- Brad_ParkerWhat do you mean by that? The order show above is the preference order with the F5 preferring The ciphers listed first.
- Techgeeeg_28888
Hi Brad,
Apologies if I didnt get your above reply, my query was that I want to set the ciphers in the order that the the Ciphers which offer PFS should come first and than the ones which don't offer PFS. So is it possible to do this on F5? does your above reply show the ciphers set in the same order that the ciphers which order PFS are placed first and the ones which don't offer this are placed below??
- Brad_ParkerYes, the string above prioritizes PFS over non-PFS. Anything that contains ECDHE or DHE are PFS. Everything else, is not.
- Techgeeeg
Hi Brad,
Apologies if I didnt get your above reply, my query was that I want to set the ciphers in the order that the the Ciphers which offer PFS should come first and than the ones which don't offer PFS. So is it possible to do this on F5? does your above reply show the ciphers set in the same order that the ciphers which order PFS are placed first and the ones which don't offer this are placed below??
- Brad_ParkerYes, the string above prioritizes PFS over non-PFS. Anything that contains ECDHE or DHE are PFS. Everything else, is not.
- Techgeeeg
Hi Brad,
Thanks man that did the job now I only have 128 bit and 256 bits in the list I also want to include the 192 bit ciphers in the list so is it possible or they all use may be 3DES my current cipher string is as under
!EXPORT:!SSLv3:!SSLv2:!DTLSv1:!MD5:!RC4:!TLSv1:!3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES- Brad_ParkerWell the 192bit ciphers are 3DES and in actuality they are 168 since only the first 56bits are used in each key. Then the first key is reused as the third key making it only effectively a 112bit cipher. This is why 3DES is losing favorability as being secure. I know it's a very simplified explanation but 192bit 3DES is now only considered to be effectively 112bits.
- Techgeeeg_28888
Hi Brad,
Thanks man that did the job now I only have 128 bit and 256 bits in the list I also want to include the 192 bit ciphers in the list so is it possible or they all use may be 3DES my current cipher string is as under
!EXPORT:!SSLv3:!SSLv2:!DTLSv1:!MD5:!RC4:!TLSv1:!3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES- Brad_ParkerWell the 192bit ciphers are 3DES and in actuality they are 168 since only the first 56bits are used in each key. Then the first key is reused as the third key making it only effectively a 112bit cipher. This is why 3DES is losing favorability as being secure. I know it's a very simplified explanation but 192bit 3DES is now only considered to be effectively 112bits.
- Techgeeeg
Thanks Brad
