Specifying Ciphers in Client SSL Profiles

Actually hoolio, that was a tremendous command reference. It helped a huge amount, so thanks. Where the heck did it come from - a search of "clientciphers" on ask.f5.com doesn't pull up anything...

 

 

I think SOL10262 and SOL11624 contradict each other, and furthermore, I believe SOL11624 is correct. If you look closely at SOL11624, it says it right in the title:

 

 

SOL11624: Change in Behavior: The default BIG-IP SSL profiles no longer include DES-CBC-SHA *** and ciphers containing the MD5 hash ***

 

 

Armed with hoolio's command reference, I can easily see the difference between 'DEFAULT' and '!SSLv2:ALL:!DH:!ADH:!EDH:!EXPORT:!DES:@SPEED' ('DEFAULT' [according to SOL7815] with '!MD5' removed):

 

 

ID SUITE BITS PROT METHOD CIPHER MAC KEYX

 

0: 4 RC4-MD5 128 SSL3 Native RC4 MD5 RSA

 

1: 4 RC4-MD5 128 TLS1 Native RC4 MD5 RSA

 

 

So it sure looks to me like RC4-MD5 is not in DEFAULT cipher list anymore, contradicting SOL10262. I'm going to post to the documentation forum to get clarification.

 

 

Assuming I am correct about RC4-MD5...I can see in a network trace that the client is using TLS1, so the removal of cipher 1 above from the DEFAULT cipher list must be the cause. I was hoping that I could use MD5 ciphers again by simply appending them to DEFAULT, like 'DEFAULT:RC4-MD5', because it seems a bit more intuitive to understand why it was customized which will become important in 6 months when I forget all about this. But unfortunately that didn't work, and and I guess I can see why F5 would want to prevent that behavior.

 

 

Anyway, I think I've thought this out far enough. Thanks watkins for getting my thoughts moving in the right direction, and hoolio again for that command.