Only show 256 bits ciphers - parent client-ssl profile

Question

Hello, I have the cipher suite configured in my parent client-ssl profile:

!ECDH_RSA:!ECDH_ECDSA:!SHA:-AES:AES:ECDHE:ECDHE_ECDSA:DHE:DHE_DSS:!RSA

How can I only provide ONLY 256 bits ciphers and remove all 128?

Do I need to name them or is there a way to commit them in the string?

Thank you

Julio

ca_valli · Answer

Hello Julio,first things first, I would recommend not to edit default SSL profiles: instead, create a new one and inherit settings from defaults.&nbsp;You can filter ciphers by strength with keywords LOW (64 bit bulk crypto algorithm) , MEDIUM (128-bit) and HIGH ( [ 168 bit/192 bit -- deprecated]  and 256-bit ).&nbsp;So your default string should be HIGH , and then exclude unwanted suites. &nbsp;You can test output with command tmm --clientciphers &lt;string&gt; , ex. tmm --clientciphers "HIGH" or tmm --clientciphers "HIGH:!ECDH_RSA:!ECDH_ECDSA:!SHA:!RSA"

fallout1984 · Answer

That's good info. With "@STRENGTH" one can have the cipher negotiation start with the strongest cipher and progress to the weakest (example: DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH)

This is just for anyone who may have a need for it. 😀

Forum Discussion

Only show 256 bits ciphers - parent client-ssl profile

Recent Discussions

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

Related Content

Client SSL Profile

SSL PROFILE - How to use multiple SSL Profile Client in Virtual Server

TMOS script for updating SSL profile cipher group and TLS versions

iControl SOAP SSL client profile creation code sample

Cipher suite mismatch advertisement/warning

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS