Forum Discussion
lmediavilla
Nimbostratus
NimbostratusLTM Cipher rule
Hello:
I've been asked to allow just some security protocols but I think there is not any manual way to just select these.
I've tried creating a cipher rule or trying to select using the cipher group.
Is this even possible?
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_AES128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256
Kind regards.
So, I ran this string :
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256This should be exactly what you need (BIG-IP 15.1.5.1) as there is 3 repetitions in ur list (49199 49200 and 52392 are all mentioned twice)
You can either use a rule + group now (which might be better if u want to recall in multiple profiles)
or just paste the string in your profile (maybe you can do a "template" profile object with this setting and other basic stuff that you can refer as "parent" for creating all of your other objects)
This should be all,
regards
CA
HI,
I've done this resently, the f5 has a great cypher config.
I think its under local traffic > profiles and your looking for cyphers.
First you need to build a cypher rule,
So once you have found the cyphers section go and hit create and make a new rule.
There is a cypher string which is comma delimited you can start adding in and it starts building and confirming your policy, If you get the string wrong it will tell you straight away!
This may help
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-custom-cipher-ssl-negotiation-configuration-13-0-0/1.html
So might
Overview of BIG-IP SSL/TLS cipher suites (f5.com)and
SSL ciphers supported on BIG-IP platforms (15.x) (f5.com)
For one thing, are you expecting tls1.2 and 1.3? I'm no expert but i think the last one is TLS1.3 only.
once you have a cypher rule and cypher group worked out.You need to go to you client ssl profile, and MAKE SURE YOU CLICK ADVANCED!!!
Look for cypher group, and tick the custom box on the right hand side.
And move the radio button to cypher group, you should then see a drop down box with your cypher group in it.
Then, just below that there is a tls filter type section and its on negative logic so things like "no tls1.3" or "no ssl"
So you need to make sure that is also set correctly.
I had a phase when the cypher rule had tls1.3 configured in it, but i hadn't removed no tls1.3 from the client ssl policy.
90mins of my life i wont get back!
Lastly, i fully recommend getting a workstation in front of the f5 where you can test the profiles being offered on the f5. nmap has a command that will tell you if you have it right or not. If you need that let me know.Hope that helps, if you need some images let me know.
CA_ValliMVP
You can tune your clientSSL profile's "cipher string" parameter, if you need those suites only you could possibly specify them explicitely.
Check this cheat sheet out, it's still pretty valid: http://smanthey.net/downloads/ssl/ssl-cipher-cs-a4-02.pdf
run in the cli: tmm --ciphersuites "<string>" to see what your string matches before installing
lmediavillaHello:
How can I specify them explicitely? Because everythin point that I need cipher suite string. That is a kind of search, I cannot find a pattern to match my needs.The pdf look great.
kind regards
- CA_Valli
The configuration is implemented via a clientSSL profile.
Every suite you listed is uniquely identified by an ID, for example (according to this link) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 has id 0xC02F (or 49199 in decimal).
When you run the command in my last comment on BIGIP, look for suite ID 49199, copy the text and paste it in cipher string to include that suite only. To build more suites, you use : (include) or :! (exclude) just like the PDF shows you.
- Kai_Wilke
Hi lmediavilla,
you may import the config below to deploy 5 alligned sets (aka. Highly Secure, Secure, Compatible, Highly Compatible, Compatible-Insecure) of cipher rules, cipher groups and SSL profiles to your units.
The SSL profiles can then be used as parrent profiles to easily switch between the different sets. Check the results of each set with SSL-Labs to see the resulting rating and client compatibility matrix.
ltm cipher rule SSLRule_Compatible { cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:-SSLv3:-DTLSv1 dh-groups DEFAULT signature-algorithms DEFAULT } ltm cipher rule SSLRule_Highly_Compatible { cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA:-SSLv3:-DTLSv1 dh-groups DEFAULT signature-algorithms DEFAULT } ltm cipher rule SSLRule_Highly_Secure { cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 dh-groups DEFAULT signature-algorithms DEFAULT } ltm cipher rule SSLRule_Insecure_Compatible { cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5:-SSLv3:-DTLSv1 dh-groups DEFAULT signature-algorithms DEFAULT } ltm cipher rule SSLRule_Secure { cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:-TLSv1:-TLSv1_1 dh-groups DEFAULT signature-algorithms DEFAULT } ltm cipher group SSLGroup_Compatible { allow { SSLRule_Compatible { } } } ltm cipher group SSLGroup_Highly_Compatible { allow { SSLRule_Highly_Compatible { } } } ltm cipher group SSLGroup_Highly_Secure { allow { SSLRule_Highly_Secure { } } } ltm cipher group SSLGroup_Insecure_Compatible { allow { SSLRule_Insecure_Compatible { } } } ltm cipher group SSLGroup_Secure { allow { SSLRule_Secure { } } } ltm profile client-ssl Master_ClientSSL_Profile_Compatible { app-service none cert-key-chain { default { cert default.crt key default.key } } cipher-group SSLGroup_Compatible ciphers none defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain true options { dont-insert-empty-fragments } } ltm profile client-ssl Master_ClientSSL_Profile_Highly_Compatible { app-service none cert-key-chain { default { cert default.crt key default.key } } cipher-group SSLGroup_Highly_Compatible ciphers none defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain true options { dont-insert-empty-fragments } } ltm profile client-ssl Master_ClientSSL_Profile_Highly_Secure { app-service none cert-key-chain { default { cert default.crt key default.key } } cipher-group SSLGroup_Highly_Secure ciphers none defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain true options { dont-insert-empty-fragments } } ltm profile client-ssl Master_ClientSSL_Profile_Insecure_Compatible { app-service none cert-key-chain { default { cert default.crt key default.key } } cipher-group SSLGroup_Insecure_Compatible ciphers none defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain true } ltm profile client-ssl Master_ClientSSL_Profile_Secure { app-service none cert-key-chain { default { cert default.crt key default.key } } cipher-group SSLGroup_Secure ciphers none defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain true options { dont-insert-empty-fragments } } ltm profile client-ssl Master_ClientSSL_Profile_Compatible_HTTP2 { app-service none cert-key-chain { default { cert default.crt key default.key } } cipher-group SSLGroup_Compatible ciphers none defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain true options { dont-insert-empty-fragments } renegotiation disabled } ltm profile client-ssl Master_ClientSSL_Profile_Highly_Compatible_HTTP2 { app-service none cert-key-chain { default { cert default.crt key default.key } } cipher-group SSLGroup_Highly_Compatible ciphers none defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain true options { dont-insert-empty-fragments } renegotiation disabled } ltm profile client-ssl Master_ClientSSL_Profile_Highly_Secure_HTTP2 { app-service none cert-key-chain { default { cert default.crt key default.key } } cipher-group SSLGroup_Highly_Secure ciphers none defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain true options { dont-insert-empty-fragments } renegotiation disabled } ltm profile client-ssl Master_ClientSSL_Profile_Insecure_Compatible_HTTP2 { app-service none cert-key-chain { default { cert default.crt key default.key } } cipher-group SSLGroup_Insecure_Compatible ciphers none defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain true renegotiation disabled } ltm profile client-ssl Master_ClientSSL_Profile_Secure_HTTP2 { app-service none cert-key-chain { default { cert default.crt key default.key } } cipher-group SSLGroup_Secure ciphers none defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain true options { dont-insert-empty-fragments } renegotiation disabled }Cheers, Kai
