Forum Discussion

swapnil_89332's avatar
swapnil_89332
Icon for Nimbostratus rankNimbostratus
Sep 10, 2015

Need help in setting strong Cipher string

Hello,

 

We have a request to set cipher suite on F5 LBs that includes following. Can someone suggest correct string that should be used to achieve this ? Also let me know if it can be set to all SSL profiles globally ?

 

Existing Cipher string on the LB

list /sys httpd ssl-ciphersuite sys httpd { ssl-ciphersuite ALL:!ADH:!EXPORT56:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

 

Required Parameters

1)Hashes a.Disable MD5 b.Enable SHA2 c.Review impact of disabling SHA1 (on the near horizon it will need to be disabled) 2)Key Exchange a.Enable PKCS b.Enable Diffie-Hellman 3)Enable Forward Secrecy 4)Review impact of disabling Insecure Renegotiations 5)TLS a.Enable 1.1 b.Enable 1.2 c.Review impact of disabling 1.0 6)Disable SSL Compression 7)Disable weak ciphers a.Null b.RC2 c.RC4 d.DES e.Triple Des 8)Enable Ciphers a.AES 128 b.AES 256

 

6 Replies

  • The very first q to ask is - what version are you running? Are you trying to influence the ciphers used by TMM clientssl/serverssl? Or the ciphers used by the management GUI? What you've listed is the ciphers used by management GUI, not TMM SSL profiles

     

    The short answer for the TMM profile can be found here http://mikeboylan.com/2014/05/02/f5-perfect-forward-secrecy/. I'm pretty sure that this will cover most if not all your requirements. Just add !RC4 onto the end of the string he gives.

     

    You'll also want to order a SHA-2 SSL certificate to meet that requirement. All the major CAs issue these now.

     

  • Thanks for your response.

     

    We are running on 10.2.4. version. and Yes, I was questioning about the TMM client SSL profile.

     

    If we add updated cipher string to the parent SSL profile, will it apply to all the child ssl profiles under it ??

     

  • Hi sorry for late reply no you can't update the 'canned' profiles - you'll need to create a new clientssl_best (inheriting from clientssl) profile and then inherit from that instead of clientssl. That way you can update everyone at the same time easily.

     

  • You're going to be somewhat limited in terms of cipher suites because you're running 10.2.4. To use, at least what browsers will consider, modern cryptography you need to get to version 11.5 or later (support for AES-GCM cipher suites). This thread is a good discussion around PFS and other cipher suite issues.

     

  • Oh dear I'm afraid I didn't read your response correctly and didn't notice 10.2.4. Yes you are pretty much screwed there re PFS - the best you can do is a SHA-2 cert with the following cipher string;-

    ciphers "DEFAULT:!SSLv3:!RC4"
    

    which will get you (currently) an A- on Qualys/SSL Labs (as long as you also insert Strict-Transport-Security header in HTTP responses) , and all your requirements above EXCEPT PFS.