Forum Discussion

bcrogerz's avatar
bcrogerz
Icon for Cirrus rankCirrus
Jan 12, 2015
Solved

Logic behind F5's Cipher Suite selection from the default Cipher suite

!SSLv3:!SSLv2:AES:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED (Cipher suite used) The intention is to enable the clients to be able to select AES as their cipher suite. 1.) Now does this AES being con...
application delivery
design
LTM
performance
security
TMOS
  • Brad_Parker's avatar
    Brad_Parker
    Jan 12, 2015
    We actually use "!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES"
Brad_Parker's avatar
Brad_Parker
Icon for Cirrus rankCirrus
Jan 12, 2015

tmm --clientciphers ''
will show you the preference order based on your string. You can order them however you want and you don't have to use 
@SPEED
or 
@STRENGTH
. At strength will prioritized based on key size, so if you want PFS it won't be prioritized as ECDH has smaller key sizes.

  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Jan 12, 2015
    We actually use "!EXPORT:!DH:!MD5:!SSLv3:!DTLSv1:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES"