Forum Discussion
Mohanish_169493
Nimbostratus
NimbostratusNeed to configure specific Cipher "AES256-SHA256" in server SSL profile
Hi,
Please if someone can guide me as to how to configure specific cipher "AES256-SHA256" for server SSL profile. The server side certificate is using "AES256-SHA256" so they want it to use this. I am using version 11.4.1. Although the Default Cipher for this version supports if but still we want to force F5 to use this Cipher. Any help would be great.
SynACk_128568Cirrostratus
Hi Mohanish,
If you want to configure specific cipher you have to negate everything which is above this cipher .
You can check serverside Cipher list with tmm --serverciphers ''
- Mohanish_169493Hi SynAck Thanks a lot for the reply!. I had one more reply. It created the SSL profile. I am yet to test this on Sunday against production environment. The issue is we have certificate using SHA256 on the server end. Now if we are using DEFAULT cipher list in the Server SSL profile its causing issues. So server team wants to use settings in F5 to have specifically SHA256 set. I tested "AES256-SHA256" using openssl s_server against the end server. The connection was successfull. HOwever the Cipher used was still AES256-SHA and not SHA256. Any comments.
- Kevin_Stewart
Employee
Negating everything from the DEFAULT stack is one way to do it, but if you exclusively just want this one cipher, then you could specify it in the Cipher block of the SSL profile:
AES256-SHA256From the command line:
tmm --serverciphers 'AES256-SHA256'This should produce a single TLS1.2 cipher suite.
- Kevin_Stewart
I tested "AES256-SHA256" using openssl s_server against the end server.
I think technically you should be using openssl s_client to simulate the BIG-IP's role in communicating with the server. The client (BIG-IP) will send a list of ciphers that it can support to the server in its initial ClientHello message, and the server will pick a cipher from that list. That's generally how it works anyway. So if the client only presents one cipher, and the server supports that cipher, then that's what they will negotiate.
boneyardMVP
openssl s_client -connect 10.x.x.x:443 -cipher AES256-SHA256 ... SSL handshake has read 1244 bytes and written 489 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-SHA256putting that ciper in the cipher block has always worked fine for me.
