Forum Discussion
CirrostratusHow to test cipher suite strength?
NoctilucentHello Julio.
You can check what ciphers are going to be assigned by the F5 in the client-side using this:
# tmm --clientciphers 'DEFAULT:!NULL:!LOW:!EXP:!DH:!ADH:!EDH:!RC4:!MD5:!3DES:!AES128-SHA:!AES256-SHA:!RSA:@STRENGTH'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
5: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
6: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
8: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
9: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSAKR,
Dario.
Julio_NavarroThanks Dario!
How about "how to apply the options portion of the profile":
options { netscape-reuse-cipher-change-bug microsoft-big-sslv3-buffer msie-sslv2-rsa-padding ssleay-080-client-dh-bug tls-d5-bug tls-block-padding-bug dont-insert-empty-fragments no-ssl no-dtls no-session-resumption-on-renegotiation no-tlsv1.1 single-dh-use ephemeral-rsa cipher-server-preference tls-rollback-bug no-sslv2 no-sslv3 no-tlsv1 pkcs1-check-1 pkcs1-check-2 netscape-ca-dn-bug netscape-demo-cipher-change-bug }
- Dario_Garrido
'Options' are specific features to increase security. The better way is to enable all that you can.
REF - https://devcentral.f5.com/s/articles/ssl-profiles-part-5-ssl-options
KR,
Dario.
