Forum Discussion
NimbostratusNeed help in setting strong Cipher string
Hello,
We have a request to set cipher suite on F5 LBs that includes following. Can someone suggest correct string that should be used to achieve this ? Also let me know if it can be set to all SSL profiles globally ?
Existing Cipher string on the LB
list /sys httpd ssl-ciphersuite sys httpd { ssl-ciphersuite ALL:!ADH:!EXPORT56:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
Required Parameters
1)Hashes a.Disable MD5 b.Enable SHA2 c.Review impact of disabling SHA1 (on the near horizon it will need to be disabled) 2)Key Exchange a.Enable PKCS b.Enable Diffie-Hellman 3)Enable Forward Secrecy 4)Review impact of disabling Insecure Renegotiations 5)TLS a.Enable 1.1 b.Enable 1.2 c.Review impact of disabling 1.0 6)Disable SSL Compression 7)Disable weak ciphers a.Null b.RC2 c.RC4 d.DES e.Triple Des 8)Enable Ciphers a.AES 128 b.AES 256
6 Replies
IheartF5_45022Nacreous
The very first q to ask is - what version are you running? Are you trying to influence the ciphers used by TMM clientssl/serverssl? Or the ciphers used by the management GUI? What you've listed is the ciphers used by management GUI, not TMM SSL profiles
The short answer for the TMM profile can be found here http://mikeboylan.com/2014/05/02/f5-perfect-forward-secrecy/. I'm pretty sure that this will cover most if not all your requirements. Just add !RC4 onto the end of the string he gives.
You'll also want to order a SHA-2 SSL certificate to meet that requirement. All the major CAs issue these now.
swapnil_89332Thanks for your response.
We are running on 10.2.4. version. and Yes, I was questioning about the TMM client SSL profile.
If we add updated cipher string to the parent SSL profile, will it apply to all the child ssl profiles under it ??
- IheartF5_45022
Hi sorry for late reply no you can't update the 'canned' profiles - you'll need to create a new clientssl_best (inheriting from clientssl) profile and then inherit from that instead of clientssl. That way you can update everyone at the same time easily.
Steve_M__153836You're going to be somewhat limited in terms of cipher suites because you're running 10.2.4. To use, at least what browsers will consider, modern cryptography you need to get to version 11.5 or later (support for AES-GCM cipher suites). This thread is a good discussion around PFS and other cipher suite issues.
- IheartF5_45022
Oh dear I'm afraid I didn't read your response correctly and didn't notice 10.2.4. Yes you are pretty much screwed there re PFS - the best you can do is a SHA-2 cert with the following cipher string;-
ciphers "DEFAULT:!SSLv3:!RC4"which will get you (currently) an A- on Qualys/SSL Labs (as long as you also insert Strict-Transport-Security header in HTTP responses) , and all your requirements above EXCEPT PFS.
Mozilla's wiki lists several "strong" cipher lists for various platforms including the BIG-IP. I loaded their example into a unit running 11.6.0 HF5 and Qualys SSL Labs scores it at an A rating. You'd need to add HSTS to the virtual server in order to get that A+, I believe.
https://wiki.mozilla.org/Security/Server_Side_TLSF5_BIG-IP
