Forum Discussion
CirrusPrefer TLSv1.2 within the DEFAULT cipher group
I am trying to manipulate my cipher suite. My requirements are: DEFAULT list only remove 3DES Prioritize TLSv1.2 above TLS1.1 and TLS1.0 (without adding ciphers not included in the default list)
Sounds easy but it is not given how limiting the v12.1.2 tmm --clientciphers utility is. The challenge is preferring TLSv1.2 without adding ciphers not in the DEFAULT list. I have even tried explicitly adding each TLSV1.2 suite individually, but suites like "DHE-RSA-AES256-SHA" bring in sslv3 and other undesirable strings. Any suggestions are appreciated. Thanks,
- Kevin_Davies
Nacreous
See what --clientciphers gives you with DEFAULT:!SSLv3:!3DES:@STRENGTH
Dan_PachecoI figured it out. tmm --clientciphers '!3DES:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:-SSLv3:-TLSv1:-TLSv1_1:!DTLSv1:DEFAULT'
Gives me:
ID SUITE BITS PROT METHOD CIPHER MAC KEYX0: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA
1: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA 2: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 Native AES SHA256 EDH/RSA 3: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 4: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 5: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 6: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 7: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 8: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 9: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 10: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 11: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 12: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 13: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 14: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 15: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 16: 103 DHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 EDH/RSA 17: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 18: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 19: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 20: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 21: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 22: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 23: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 24: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 25: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 26: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 27: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 28: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 29: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
Kevin_Davies_33Nimbostratus
Build your own https://support.f5.com/csp/article/K10866411 cipher suite would solve your problem alas it is only v13.
