Forum Discussion
CirrostratusHow to test cipher suite strength?
Hello,
I am looking for a different (if available) way to test a client-ssl profile and its cipher suite configured besides using openssl against a VIP with the profile in question....?
Important - considering the options set
Is this possible? Its just looking for alternatives. Thank you
Thank you
For example:
ltm profile client-ssl test_clientssl {
app-service none
cert default.crt
cert-key-chain {
default_default {
cert default.crt
key default.key
}
}
chain none
ciphers DEFAULT:!NULL:!LOW:!EXP:!DH:!ADH:!EDH:!RC4:!MD5:!3DES:!AES128-SHA:!AES256-SHA:!RSA:@STRENGTH
defaults-from clientssl
inherit-certkeychain false
key default.key
options { netscape-reuse-cipher-change-bug microsoft-big-sslv3-buffer msie-sslv2-rsa-padding ssleay-080-client-dh-bug tls-d5-bug tls-block-padding-bug dont-insert-empty-fragments no-ssl no-dtls no-session-resumption-on-renegotiation no-tlsv1.1 single-dh-use ephemeral-rsa cipher-server-preference tls-rollback-bug no-sslv2 no-sslv3 no-tlsv1 pkcs1-check-1 pkcs1-check-2 netscape-ca-dn-bug netscape-demo-cipher-change-bug }
passphrase none
}
Dario_GarridoNoctilucent
Hello Julio.
You can check what ciphers are going to be assigned by the F5 in the client-side using this:
# tmm --clientciphers 'DEFAULT:!NULL:!LOW:!EXP:!DH:!ADH:!EDH:!RC4:!MD5:!3DES:!AES128-SHA:!AES256-SHA:!RSA:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 6: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 8: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 9: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSAKR,
Dario.
Julio_NavarroThanks Dario!
How about "how to apply the options portion of the profile":
options { netscape-reuse-cipher-change-bug microsoft-big-sslv3-buffer msie-sslv2-rsa-padding ssleay-080-client-dh-bug tls-d5-bug tls-block-padding-bug dont-insert-empty-fragments no-ssl no-dtls no-session-resumption-on-renegotiation no-tlsv1.1 single-dh-use ephemeral-rsa cipher-server-preference tls-rollback-bug no-sslv2 no-sslv3 no-tlsv1 pkcs1-check-1 pkcs1-check-2 netscape-ca-dn-bug netscape-demo-cipher-change-bug }
- Dario_Garrido
'Options' are specific features to increase security. The better way is to enable all that you can.
REF - https://devcentral.f5.com/s/articles/ssl-profiles-part-5-ssl-options
KR,
Dario.
- Julio_Navarro
Thanks Dario and Nixo1n for your quick replies.
Basically I am looking for the available cipher suites....
For example,
I would like to run a command and be able to get this against a profile:
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128
This will show all possible cipher configured in the profile (taking into consideration the "options" portion)
- Dario_Garrido
Hello Julio.
Sorry, but this doesn't make sense.
The cipher involves the F5, but 'options' normally refers to client application vulnerabilities.
An example:
"Netscape CA DN bug workaround: This option handles a defect regarding system instability. The system crashes or hangs if the following conditions are met: 1) the system accepts a Netscape browser connection, 2) the system demands a client certificate, 3) the system has a non-self-signed CA that does not have its CA in Netscape, and 4) the browser has a certificate. This option is in place to ensure the system does not crash or hang."
So in your previous capture you only have into account the cipher strength, not the options.
To test one specific platform you would need to test it from all the different clients possible and depending on that, you would have a complete list o how your enviroment behaves to those queries.
There are some applications like Qualys that allow you to test your public site from different clients, but this is far to be an official security audit of your F5 SSL strength. Take into account that some people works (for money) performing security auditories, and it's not only to put a command a CLI 😊.
Hope this it helps.
KR,
Dario.
- Dario_Garrido
BTW, there other similar tools like nmap that could allow you to perform web tests like Qualys but from inside of your network.
nmap -sV --script ssl-enum-ciphers -p 443 <host>To execute it, you need to download this script: