How to prioritize cipher suites on F5

Yes you can. Just add them from left to right, just like you've done. You can find the "short names" here:

https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html

/Patrik

A tip is to set up a virtual server for testing and test with Qualys SSL labs. Then you can see the browser compatibility.

/Patrik

The last one should be DES-CBC3-SHA.

"!" means that you DON'T want the cipher in the list and you separate each cipher with a ":".

Here's a ok, if a bit outdated article about cipher strings:

https://devcentral.f5.com/articles/ssl-profiles-part-4-cipher-suites

/Patrik

Hi Guys,

Is there a way to prioritize the Ciphers that support Forward Secrecy over other ciphers....

Hi Guys,

Is there a way to prioritize the Ciphers that support Forward Secrecy over other ciphers....

Actually I already did that but it puts the ciphers in the order of no. of bits like first it will put all 256 then 192 then 128 n so on.... but not in the order of PFS

'RSA+RC4-SHA:AES256-SHA:AES128-SHA:RSA+3DES'

tmm --clientciphers 'RSA+RC4-SHA:AES256-SHA:AES128-SHA:RSA+3DES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:     5  RC4-SHA                          128  SSL3    Native  RC4       SHA     RSA
 1:     5  RC4-SHA                          128  TLS1    Native  RC4       SHA     RSA
 2:     5  RC4-SHA                          128  TLS1.1  Native  RC4       SHA     RSA
 3:     5  RC4-SHA                          128  TLS1.2  Native  RC4       SHA     RSA
 4:    53  AES256-SHA                       256  SSL3    Native  AES       SHA     RSA
 5:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA
 6:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA
 7:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
 8:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
 9:    47  AES128-SHA                       128  SSL3    Native  AES       SHA     RSA
10:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA
11:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA
12:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
13:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
14:    10  DES-CBC3-SHA                     168  SSL3    Native  DES       SHA     RSA
15:    10  DES-CBC3-SHA                     168  TLS1    Native  DES       SHA     RSA
16:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA
17:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA
18:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA

PFS would be prioritized by specifying cipher suites that are PFS first. @STRENGTH really isn't valid any more as it just orders based on bits, not cipher suite. @SPEED is similar as it orders it by smallest bit to largest. i.e.

'!EXPORT:!SSLv3:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES'

tmm --clientciphers '!EXPORT:!SSLv3:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 1: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
 3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
 5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
 6: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
 7: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA
 8: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA
 9: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
10: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1    Native  DES       SHA     ECDHE_RSA
11: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.1  Native  DES       SHA     ECDHE_RSA
12: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.2  Native  DES       SHA     ECDHE_RSA
13:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
14:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
15:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
16:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA
17:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA
18:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
19:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
20:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
21:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA
22:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA
23:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
24:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
25:    10  DES-CBC3-SHA                     168  TLS1    Native  DES       SHA     RSA
26:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA
27:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA
28:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA