Specifying Ciphers in Client SSL Profiles

Hi SMP,

 

 

RC4-MD5 is still part of the default cipher list in version 10.2: http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10262.html. I think what you may be missing is the DES-CBC-SHA cipher. Here is a solution on how to add it to the SSL profile in v10.2: http://support.f5.com/kb/en-us/solutions/public/11000/600/sol11624.html.

 

 

Hope that helps,

 

 

George

After reading SOL10262 again, I believe you're right. But if that's true, there's something I can't reconcile. The client only accepts TLS_RSA_WITH_RC4_128_MD5, which I have verified through a network trace. And according to the OpenSSL doc, TLS_RSA_WITH_RC4_128_MD5 is equivalent to RC4-MD5, which should have been accepted since RC4-MD5 is in the DEFAULT cipher list on the Client SSL Profile. But the LTM would not accept the connection.

 

 

What seems to have worked is removing !MD5 from the DEFAULT cipher list !SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED (according to SOL7815). In other words, this cipher list seems to have worked:

 

 

!SSLv2:ALL:!DH:!ADH:!EDH:!EXPORT:!DES:@SPEED

 

 

Does it make sense to you why LTM 10.2.0 would accept a TLS_RSA_WITH_RC4_128_MD5/RC4-MD5 cipher with this customized cipher list, but not "DEFAULT"? The only answer I can come up with is that cipher MD5 is included in DES-CBC-SHA, but I don' think that's true from what I can see in the OpenSSL doc.

Hi SMP,

 

 

I haven't read the thread too closely, but you can use tmm --clientciphers 'CIPHER_LIST' to check which ciphers are used for a given cipher string:

 

 

tmm --clientciphers '!SSLv2:ALL:!DH:!ADH:!EDH:!EXPORT:!DES:@SPEED'

 

tmm --clientciphers 'DEFAULT'

 

 

Aaron

 

Actually hoolio, that was a tremendous command reference. It helped a huge amount, so thanks. Where the heck did it come from - a search of "clientciphers" on ask.f5.com doesn't pull up anything...

 

 

I think SOL10262 and SOL11624 contradict each other, and furthermore, I believe SOL11624 is correct. If you look closely at SOL11624, it says it right in the title:

 

 

SOL11624: Change in Behavior: The default BIG-IP SSL profiles no longer include DES-CBC-SHA *** and ciphers containing the MD5 hash ***

 

 

Armed with hoolio's command reference, I can easily see the difference between 'DEFAULT' and '!SSLv2:ALL:!DH:!ADH:!EDH:!EXPORT:!DES:@SPEED' ('DEFAULT' [according to SOL7815] with '!MD5' removed):

 

 

ID SUITE BITS PROT METHOD CIPHER MAC KEYX

 

0: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA

 

1: 4 RC4-MD5 128 TLS1 Native RC4 MD5 RSA

 

 

So it sure looks to me like RC4-MD5 is not in DEFAULT cipher list anymore, contradicting SOL10262. I'm going to post to the documentation forum to get clarification.

 

 

Assuming I am correct about RC4-MD5...I can see in a network trace that the client is using TLS1, so the removal of cipher 1 above from the DEFAULT cipher list must be the cause. I was hoping that I could use MD5 ciphers again by simply appending them to DEFAULT, like 'DEFAULT:RC4-MD5', because it seems a bit more intuitive to understand why it was customized which will become important in 6 months when I forget all about this. But unfortunately that didn't work, and and I guess I can see why F5 would want to prevent that behavior.

 

 

Anyway, I think I've thought this out far enough. Thanks watkins for getting my thoughts moving in the right direction, and hoolio again for that command.