For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
Apr 28, 2014

Server SSL Profile ciphers

I'm using the following Ciphers string in a server SSL profile on my 11.4.1HF3 LTM: DEFAULT:-TLSv1_1:-TLSv1_2 The resulting ciphers list is this: Active:Changes Pending] ~ tmm --serve...
application delivery
LTM
management
security
nitass's avatar
nitass
Icon for Employee rankEmployee
Apr 28, 2014

this is mine.

 config

[root@B5200-R78-S13:Active:Standalone] config  tmsh show sys version|head

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.4.1
  Build    637.0
  Edition  Hotfix HF3
  Date     Fri Jan 17 13:32:07 PST 2014

Hotfix List
[root@B5200-R78-S13:Active:Standalone] config  tmsh
root@(B5200-R78-S13)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 101.101.101.173:https
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        myserverssl {
            context serverside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 2
}
root@(B5200-R78-S13)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:https {
            address 200.200.200.101
        }
    }
}
root@(B5200-R78-S13)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm profile server-ssl myserverssl
ltm profile server-ssl myserverssl {
    app-service none
    ciphers DEFAULT:-TLSv1_1:-TLSv1_2
}

 cipher

[root@B5200-R78-S13:Active:Standalone] config  tmm --serverciphers "DEFAULT:-TLSv1_1:-TLSv1_2"
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0:     5  RC4-SHA                          128  SSL3    Native  RC4     SHA     RSA
 1:     5  RC4-SHA                          128  TLS1    Native  RC4     SHA     RSA
 2:    47  AES128-SHA                       128  SSL3    Native  AES     SHA     RSA
 3:    47  AES128-SHA                       128  TLS1    Native  AES     SHA     RSA
 4:    47  AES128-SHA                       128  DTLS1   Native  AES     SHA     RSA
 5:    53  AES256-SHA                       256  SSL3    Native  AES     SHA     RSA
 6:    53  AES256-SHA                       256  TLS1    Native  AES     SHA     RSA
 7:    53  AES256-SHA                       256  DTLS1   Native  AES     SHA     RSA
 8:    10  DES-CBC3-SHA                     192  SSL3    Native  DES     SHA     RSA
 9:    10  DES-CBC3-SHA                     192  TLS1    Native  DES     SHA     RSA
10:    10  DES-CBC3-SHA                     192  DTLS1   Native  DES     SHA     RSA
11: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
12: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
13: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA

 trace

New TCP connection 2: 200.200.200.172(57026) <-> 200.200.200.101(443)
2 1  1398708282.8530 (0.0016)  C>SV3.1(75)  Handshake
      ClientHello
        Version 3.1
        random[32]=
          f8 9c 48 5c 7b e5 2b 6e 83 04 87 be 32 6c f7 c7
          42 fe b8 3c d9 8f ee 56 b5 bd 70 48 1f 37 50 56
        cipher suites
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc012
        Unknown value 0xff
        compression methods
                  NULL