Forum Discussion

Julio_Navarro's avatar
Julio_Navarro
Icon for Cirrostratus rankCirrostratus
Apr 02, 2020

How to test cipher suite strength?

Hello, I am looking for a different (if available) way to test a client-ssl profile and its cipher suite configured besides using openssl against a VIP with the profile in question....? Important -...
Julio_Navarro's avatar
Julio_Navarro
Icon for Cirrostratus rankCirrostratus
Apr 03, 2020

Thanks Dario and Nixo1n for your quick replies.

Basically I am looking for the available cipher suites....

For example,

I would like to run a command and be able to get this against a profile:

# TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)  ECDH x25519 (eq. 3072 bits RSA)  FS 128

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)  ECDH x25519 (eq. 3072 bits RSA)  FS 256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 128

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 128

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 256

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)  WEAK 128

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)  WEAK 256

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)  WEAK 128

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)  WEAK 256

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK 128

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)  WEAK 256

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)  WEAK 256

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)  WEAK 128

 

 

 

This will show all possible cipher configured in the profile (taking into consideration the "options" portion)

 

 

 

 

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for Noctilucent rankNoctilucent
    Apr 03, 2020

    Hello Julio.

     

    Sorry, but this doesn't make sense.

     

    The cipher involves the F5, but 'options' normally refers to client application vulnerabilities.

     

    An example:

    "Netscape CA DN bug workaround: This option handles a defect regarding system instability. The system crashes or hangs if the following conditions are met: 1) the system accepts a Netscape browser connection, 2) the system demands a client certificate, 3) the system has a non-self-signed CA that does not have its CA in Netscape, and 4) the browser has a certificate. This option is in place to ensure the system does not crash or hang."

     

    So in your previous capture you only have into account the cipher strength, not the options.

     

    To test one specific platform you would need to test it from all the different clients possible and depending on that, you would have a complete list o how your enviroment behaves to those queries.

     

    There are some applications like Qualys that allow you to test your public site from different clients, but this is far to be an official security audit of your F5 SSL strength. Take into account that some people works (for money) performing security auditories, and it's not only to put a command a CLI 😊.

     

    Hope this it helps.

     

    KR,

    Dario.

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for Noctilucent rankNoctilucent
      Apr 03, 2020

      BTW, there other similar tools like nmap that could allow you to perform web tests like Qualys but from inside of your network.

      nmap -sV --script ssl-enum-ciphers -p 443 <host>

      To execute it, you need to download this script:

      https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

    • Julio_Navarro's avatar
      Julio_Navarro
      Icon for Cirrostratus rankCirrostratus
      Apr 24, 2020

      Thank you Dario!