Forum Discussion

What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
Oct 27, 2014

Management Interface SSL Ciphers

Hey all, So, I'm trying to restrict the SSL ciphers used with the management interface (including iControl). To test this, I've used the [tmsh] modify sys httpd ssl-ciphersuite ... command with...
configuration utility
devops
iControl
ssl
TMOS
TMSH
What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
Oct 28, 2014

Just for the benefit of others, I've implemented just TLS1.2 supported ciphers using this string;

NONE:DHE-RSA-AES256-SHA:AES256-SHA

OpenSSL reports as follows (ignore the SSLv3 output, it's just an OpenSSL 'thing');

$ openssl ciphers -v NONE:DHE-RSA-AES256-SHA:AES256-SHA
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1

And here's the output from ssldump proving when I connect that only one of these ciphers is used;

$ ssldump -ndX
    New TCP connection 1: 10.11.12.13(50592) <-> 192.168.1.1(443)
    1 1  0.0491 (0.0491)  C>S  Handshake
          ClientHello
            Version 3.1 
            resume [32]=
              13 70 c7 87 b7 5a 78 8d b6 ca fd cc 4d 92 f9 17 
              d0 61 90 36 5b 1b 69 cd f1 e5 e7 f9 5f 2a 5b e1 
            cipher suites
            Unknown value 0xc02b
            Unknown value 0xc02f
            Unknown value 0x9e
            Unknown value 0xcc14
            Unknown value 0xcc13
            Unknown value 0xc00a
            Unknown value 0xc009
            Unknown value 0xc013
            Unknown value 0xc014
            Unknown value 0xc007
            Unknown value 0xc011
            TLS_DHE_RSA_WITH_AES_128_CBC_SHA
            TLS_DHE_DSS_WITH_AES_128_CBC_SHA
            TLS_DHE_RSA_WITH_AES_256_CBC_SHA
            Unknown value 0x9c
            TLS_RSA_WITH_AES_128_CBC_SHA
            TLS_RSA_WITH_AES_256_CBC_SHA
            TLS_RSA_WITH_3DES_EDE_CBC_SHA
            TLS_RSA_WITH_RC4_128_SHA
            TLS_RSA_WITH_RC4_128_MD5
            compression methods
                      NULL
    1 2  0.0513 (0.0022)  S>C  Handshake
          ServerHello
            Version 3.1 
            session_id[32]=
              13 70 c7 87 b7 5a 78 8d b6 ca fd cc 4d 92 f9 17 
              d0 61 90 36 5b 1b 69 cd f1 e5 e7 f9 5f 2a 5b e1 
            cipherSuite         TLS_DHE_RSA_WITH_AES_256_CBC_SHA
            compressionMethod                   NULL

Here's what happens if I try to connect using Firefox configured to use unwanted ciphers;

    1 1  0.0074 (0.0074)  C>S  Handshake
          ClientHello
            Version 3.0 
            cipher suites
            Unknown value 0xff
            SSL_DHE_RSA_WITH_AES_128_CBC_SHA
            SSL_DHE_DSS_WITH_AES_128_CBC_SHA
            Unknown value 0x45
            SSL_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
            SSL_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
            SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
            SSL_RSA_WITH_AES_128_CBC_SHA
            SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
            SSL_RSA_WITH_3DES_EDE_CBC_SHA
            SSL_RSA_WITH_RC4_128_MD5
            compression methods
                      NULL
    1 2  0.0080 (0.0005)  S>C  Alert
        level           fatal
        value           handshake_failure