Forum Discussion

Nimbostratus

Jun 21, 2017

Setting ciphers manually in BIG IP

I have BIG IP v 11.6.1 and need to manual set the ciphers. Here is the list of ciphers, in order, of what I want. I have been unable to make this happen. Can someone assist?

ECDHE-RSA-AES256-GCM-SHA384 (0xc030)256TLS1.2ECDHERSAAES-GCMSHA384

ECDHE-ECDSA-AES256-GCM-SHA384 (0xc02c)256TLS1.2ECDHEECDSAAES-GCMSHA384

ECDH-RSA-AES256-GCM-SHA384 (0xc032)256TLS1.2ECDHRSAAES-GCMSHA384

ECDH-ECDSA-AES256-GCM-SHA384 (0xc02e)256TLS1.2ECDHECDSAAES-GCMSHA384

ECDHE-RSA-AES256-SHA384 (0xc028)256TLS1.2ECDHERSAAESSHA384

ECDHE-ECDSA-AES256-SHA384 (0xc024)256TLS1.2ECDHEECDSAAESSHA384

DHE-DSS-AES256-GCM-SHA384 (0xa3)256TLS1.2DHEDSSAES-GCMSHA384

DHE-RSA-AES256-GCM-SHA384 (0x9f)256TLS1.2EDHRSAAES-GCMSHA384

ECDH-RSA-AES256-SHA384 (0xc02a) 256TLS1.2ECDHRSAAESSHA384

ECDH-ECDSA-AES256-SHA384 (0xc026)256TLS1.2ECDHECDSAAESSHA384

AES256-GCM-SHA384 (0x9d) 256TLS1.2RSARSAAES-GCMSHA384

DHE-RSA-AES256-SHA256 (0x6b) 256TLS1.2EDHRSAAESSHA256

DHE-DSS-AES256-SHA256 (0x6a) 256TLS1.2DHEDSSAESSHA256

AES256-SHA256 (0x3d) 256TLS1.2RSARSAAESSHA256

ECDHE-RSA-AES256-CBC-SHA (0xc014)256TLS1, TLS1.1, TLS1.2ECDHERSAAESSHA

ECDHE-ECDSA-AES256-SHA (0xc00a) 256TLS1, TLS1.1, TLS1.2ECDHEECDSAAESSHA

ECDH-RSA-AES256-SHA (0xc00f) 256TLS1, TLS1.1, TLS1.2ECDHRSAAESSHA

ECDH-ECDSA-AES256-SHA (0xc005) 256TLS1, TLS1.1, TLS1.2ECDHECDSAAESSHA

DHE-RSA-AES256-SHA (0x39) 256SSL3, TLS1, TLS1.1, TLS1.2, DTLS1EDHRSAAESSHA

DHE-DSS-AES256-SHA (0x38) 256SSL3, TLS1, TLS1.1, TLS1.2, DTLS1DHEDSSAESSHA

AES256-SHA (0x35) 256SSL3, TLS1, TLS1.1, TLS1.2, DTLS1RSARSAAESSHA

BIG-IP

devops

security

11 Replies

LoyalSoldier
Altostratus
Jun 21, 2017
F5 article on configuring ciphers: https://support.f5.com/csp/article/K13171

See the result of a string on a device via CLI bash with this command:

tmm --clientciphers ''

Example:

tmm --clientciphers 'NATIVE:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:!SSLv3:!TLSv1:!EXPORT:!DH:!ADH:!LOW:!MD5:!RC4:RSA+AES:RSA+3DES:@STRENGTH'

The "@STRENGTH" tells it to sort the ciphers by strength, strongest first.

Also see: F5 SSL Everywhere Recommended Practices
https://f5.com/Portals/1/Premium/Architectures/RA-SSL-Everywhere-deployment-guide.pdf
Once you have a cipher string you want, add it to your SSL profile, sshd, or httpd.
- SFiddy_313786
  Nimbostratus
  Jun 28, 2017
  This is information I already was aware of. My problem is the getting the exact ciphers in the exact order as my original post. I haven't figured out that string and I have spent quite a bit of time formatting and testing. I am looking for assistance from someone who can show me.
- P_K
  Altostratus
  Jun 28, 2017
  what version of bigip is it?
- LoyalSoldier
  Altostratus
  Jun 28, 2017
  SFiddy,
  ¬†
  
  Have you seen this article? Looks like it might help with what you are trying to do. https://devcentral.f5.com/s/feed/0D51T00006i7buMSAQ
  ¬†
  
  Another article, that includes a example of testing them: https://devcentral.f5.com/s/articles/ssl-profiles-part-4-cipher-suites
  ¬†
LoyalSoldier_28
Nimbostratus
Jun 21, 2017
F5 article on configuring ciphers: https://support.f5.com/csp/article/K13171

See the result of a string on a device via CLI bash with this command:

tmm --clientciphers ''

Example:

tmm --clientciphers 'NATIVE:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:!SSLv3:!TLSv1:!EXPORT:!DH:!ADH:!LOW:!MD5:!RC4:RSA+AES:RSA+3DES:@STRENGTH'

The "@STRENGTH" tells it to sort the ciphers by strength, strongest first.

Also see: F5 SSL Everywhere Recommended Practices
https://f5.com/Portals/1/Premium/Architectures/RA-SSL-Everywhere-deployment-guide.pdf
Once you have a cipher string you want, add it to your SSL profile, sshd, or httpd.
- SFiddy_313786
  Nimbostratus
  Jun 28, 2017
  This is information I already was aware of. My problem is the getting the exact ciphers in the exact order as my original post. I haven't figured out that string and I have spent quite a bit of time formatting and testing. I am looking for assistance from someone who can show me.
- P_K
  Altostratus
  Jun 28, 2017
  what version of bigip is it?
- LoyalSoldier_28
  Nimbostratus
  Jun 28, 2017
  SFiddy,
  ¬†
  
  Have you seen this article? Looks like it might help with what you are trying to do. https://devcentral.f5.com/s/feed/0D51T00006i7buMSAQ
  ¬†
  
  Another article, that includes a example of testing them: https://devcentral.f5.com/s/articles/ssl-profiles-part-4-cipher-suites
  ¬†
amintej
Cirrus
Jun 30, 2017
I recommend you using the command tmm --clientciphers 'DEFAULT' for cheking de default configuration. Output Example:

[root@localhost:Active:Standalone] config tmm --clientciphers 'DEFAULT'

ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 2: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA 3: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 4: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 5: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 6: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 8: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 9: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 10: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 11: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 12: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 13: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 14: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 15: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 16: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 17: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 18: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 19: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 20: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 21: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 22: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 23: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 24: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 25: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 26: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 27: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 28: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 29: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA

Translation is (this command will print the same output):

tmm --clientciphers 'RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-AES128-CBC-SHA:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA'

The general idea is ordering suites (third column of the output), in this example: RC4-SHA:AES128-SHA:AES256-SHA etc.. and testing with tmm --clientciphers 'ORDERED SUITES'