LTM Cipher rule

Hello: I've been asked to allow just some security protocols but I think there is not any manual way to just select these. I've tried creating a cipher rule or trying to select using the cipher gro...

security

CA_Valli
Jan 25, 2023
So, I ran this string :

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256

This should be exactly what you need (BIG-IP 15.1.5.1) as there is 3 repetitions in ur list (49199 49200 and 52392 are all mentioned twice)

You can either use a rule + group now (which might be better if u want to recall in multiple profiles)

or just paste the string in your profile (maybe you can do a "template" profile object with this setting and other basic stuff that you can refer as "parent" for creating all of your other objects)

This should be all,
regards
CA

Kai_Wilke

MVP

Jan 29, 2023

Hi lmediavilla,

you may import the config below to deploy 5 alligned sets (aka. Highly Secure, Secure, Compatible, Highly Compatible, Compatible-Insecure) of cipher rules, cipher groups and SSL profiles to your units.

The SSL profiles can then be used as parrent profiles to easily switch between the different sets. Check the results of each set with SSL-Labs to see the resulting rating and client compatibility matrix.

ltm cipher rule SSLRule_Compatible {
	cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:-SSLv3:-DTLSv1
	dh-groups DEFAULT
	signature-algorithms DEFAULT
}
ltm cipher rule SSLRule_Highly_Compatible {
	cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA:-SSLv3:-DTLSv1
	dh-groups DEFAULT
	signature-algorithms DEFAULT
}
ltm cipher rule SSLRule_Highly_Secure {
	cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
	dh-groups DEFAULT
	signature-algorithms DEFAULT
}
ltm cipher rule SSLRule_Insecure_Compatible {
	cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5:-SSLv3:-DTLSv1
	dh-groups DEFAULT
	signature-algorithms DEFAULT
}
ltm cipher rule SSLRule_Secure {
	cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:-TLSv1:-TLSv1_1
	dh-groups DEFAULT
	signature-algorithms DEFAULT
}
ltm cipher group SSLGroup_Compatible {
	allow {
		SSLRule_Compatible { }
	}
}
ltm cipher group SSLGroup_Highly_Compatible {
	allow {
		SSLRule_Highly_Compatible { }
	}
}
ltm cipher group SSLGroup_Highly_Secure {
	allow {
		SSLRule_Highly_Secure { }
	}
}
ltm cipher group SSLGroup_Insecure_Compatible {
	allow {
		SSLRule_Insecure_Compatible { }
	}
}
ltm cipher group SSLGroup_Secure {
	allow {
		SSLRule_Secure { }
	}
}
ltm profile client-ssl Master_ClientSSL_Profile_Compatible {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
}
ltm profile client-ssl Master_ClientSSL_Profile_Highly_Compatible {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Highly_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
}
ltm profile client-ssl Master_ClientSSL_Profile_Highly_Secure {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Highly_Secure
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
}
ltm profile client-ssl Master_ClientSSL_Profile_Insecure_Compatible {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Insecure_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
}
ltm profile client-ssl Master_ClientSSL_Profile_Secure {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Secure
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
}
ltm profile client-ssl Master_ClientSSL_Profile_Compatible_HTTP2 {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
    renegotiation disabled
}
ltm profile client-ssl Master_ClientSSL_Profile_Highly_Compatible_HTTP2 {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Highly_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
    renegotiation disabled
}
ltm profile client-ssl Master_ClientSSL_Profile_Highly_Secure_HTTP2 {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Highly_Secure
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
    renegotiation disabled
}
ltm profile client-ssl Master_ClientSSL_Profile_Insecure_Compatible_HTTP2 {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Insecure_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
    renegotiation disabled
}
ltm profile client-ssl Master_ClientSSL_Profile_Secure_HTTP2 {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Secure
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
    renegotiation disabled
}

Cheers, Kai

Forum Discussion

LTM Cipher rule

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Disabling Ciphers

Has anyone used F5 rules for AWS WAF?

Can this i-rule be used in an LTM traffic policy in the manner shown:

ASM provided signatures rules text

SSL cipher: improve performance

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS