Forum Discussion

lmediavilla's avatar
lmediavilla
Icon for Nimbostratus rankNimbostratus
Jan 24, 2023
Solved

LTM Cipher rule

Hello: I've been asked to allow just some security protocols but I think there is not any manual way to just select these. I've tried creating a cipher rule or trying to select using the cipher gro...
security
  • CA_Valli's avatar
    CA_Valli
    Jan 25, 2023

    So, I ran this string :

     

    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256

     

     

    This should be exactly what you need (BIG-IP 15.1.5.1) as there is 3 repetitions in ur list (49199 49200 and 52392 are all mentioned twice) 

     

    You can either use a rule + group now (which might be better if u want to recall in multiple profiles)

     

    or just paste the string in your profile (maybe you can do a "template" profile object with this setting and other basic stuff that you can refer as "parent" for creating all of your other objects) 

     

     

    This should be all,
    regards
    CA

CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Jan 24, 2023

You can tune your clientSSL profile's "cipher string" parameter, if you need those suites only you could possibly specify them explicitely. 

Check this cheat sheet out, it's still pretty valid: http://smanthey.net/downloads/ssl/ssl-cipher-cs-a4-02.pdf

run in the cli: tmm --ciphersuites "<string>" to see what your string matches before installing