Forum Discussion
How to use only specific ciphers and avoid building negative list
- Dec 06, 2018
I get answer from my friend. It's so simple:
TLSv1_2+ECDHE-RSA-AES256-GCM-SHA384:TLSv1_2+ECDHE-RSA-AES256-CBC-SHA:TLSv1_2+ECDHE-RSA-AES128-GCM-SHA256:TLSv1_2+ECDHE-RSA-AES128-CBC-SHA:@STRENGTH
Maybe someone will need it to :)
- May 18, 2019
Hi,
I am doing a similar project at the moment but our goal is to stop TLS1.0 protocol and secure the ciphers. Herefor it is even more easy if you skip the protocol in your cipher string for easy understanding and later upgrades but limit the protocol support in the options. With this approuch you can easely "play" and if TLS1.3 comes in the picture add or reject it for the ssl handshake by just adding it to the enabled options list.
I created a few specific "parent profiles" going from base, medium en max secure with each their own configuration. Those parents can then be assigned to each SSL Client profile you create and so you only need to maintain 3 sets of profiles and all the others will inherince the ciphers from. Easy troubleshooting, understanding and reporting to security.
- clientssl_base_unsecure - TLS1.0, TLS1.1 and TLS1.2
- clientssl_base_secure - TLS1.1 and TLS1.2
- clientssl_medium_secure - TLS1.2
- clientssl_max_secure - TLS1.2
So the base has stil the most broad way of support on TLS1.1 and TLS1.2 using Eliptic Curved ciphers + RSA, enforcing strongest encryption first and limits the key length. Medium has only TLS1.2 support in comparison with the base profile and RSA is removed. Max is also only TLS1.2 support but in difference with medium only allows key lenght of higer/equal 256bits.
The cipher string is clean, easy to read and now ready to be re-used as a parent profile for your own clientssl profiles. As you see below you don't need to add it each and every time because it's inheranced from the clientssl_max_secure in this case.
I ran all those against ssllabs scanning and received for each of them an A+ grade wich is nice and our security department found it also nice.
Marked both of these as Solutions - if OP disagrees or needs to caveat feel free to un-Accept either as solution.
Been a while but "Better Solutioned Late than Never" 😄
Thanks
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com