Forum Discussion
Nimbostratushow to prioritize cipher suites
I am running version LTM BIGIP 12.1.3.5 and confused as to how to prioritize cipher suites.
I am using this cipher string on some client and server side ssl profiles. DEFAULT:@STRENGTH:!3DES:!EXPORT:!EXP:!MD5:!RC4
If I add !DHE will it negate other DHE ciphers within DEFAULT suite?
Thanks. Dave
2 Replies
RaghavendraSYAltostratus
Yes. Please refer below article:
https://devcentral.f5.com/articles/ssl-profiles-part-4-cipher-suites
“!” – these ciphers are permanently deleted from the list and cannot reappear in the list even if explicitly stated.
“-“ - these ciphers are deleted from the list but can be re-added by later options.
“+” – these ciphers are moved to the end of the list.
wlopezCirrocumulus
You can test your cipher string using the following commands from bash:
tmm --clientciphers 'YOUR CLIENT SSL CIPHER STRING'
tmm --serverciphers 'YOUR SERVER SSL CIPHER STRING'
Exammple:
This will give you the default client ssl ciphers for the version your running:
tmm --clientciphers 'DEFAULT'With it you can see what's active by default on your version, and start working from there.
To view your current setup:
tmm --clientciphers 'DEFAULT:@STRENGTH:!3DES:!EXPORT:!EXP:!MD5:!RC4'My recommendation based on your version, to comply with just about every regulation out there would be:
tmm --clientciphers 'ECDHE:DEFAULT:!DHE:!3DES:!TLSv1:@STRENGTH'
