SSL Cipher String

Spooky, I answered a very similar question a while back. I'll try and add the commands in later. It'll be pretty manual assuming all the VSs have a different profile assigned but if they are based on the default profile and rely on its cipher setting it could be a one liner in tmsh;

 

 

As for pre and post checks I'd suggest the following as a minimum (ideally from the CLI);

 

•-Check available disk, CPU and memory resources - make a note

 

•-Check the logs to make sure the device is stable and nothing that might affect your change is being reported

 

•-Check no one else is on the box

 

•-Save the config on and off box

 

•-Check connection levels to the VS in question - make a note

 

•-Check whatever other statistics etc. that you can in relation to the function/objects you are changing

 

•-Make sure you have a backout plan

 

•-If it's a HA setup, make sure the standby(s) are operational and the config is in sync

 

-Make the change

 

•-Compare everything you recorded pre-change with the post-change state/statistics

 

•-Check the logs

 

•-Test, test, test

 

genseek,

 

 

You actually make the changes to the cipher strength on the client ssl profile, which is assigned to a virtual server.

 

 

To view the SSL Profiles and their Ciphers then: tmsh list /ltm profile client-ssl

 

To modify an SSL profile then: tmsh modify /ltm profile client-ssl ciphers xxxxx

 

 

See http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html

 

 

Hope this helps,

 

N

what is the command to check - Check connection levels to the VS in question?

 

 

"Check whatever other statistics etc. that you can in relation to the function/objects you are changing" - What could be this? And what would those be by way of CLI cmds ?

 

 

"Make sure you have a backout plan " - What would b the steps under backout plan specifically? Would it just mean..re applying the old cipher string or anything else along with that?

 

 

thanks -genseek

Check VS connection levels: tmsh show ltm virtual ...

 

 

Other stats: In this case, SSL connection levels: tmsh show ltm profile client-ssl ...

 

 

Backout plan: yes, reverting to the original configuration (and testing again to make sure it worked)

Hi Steve and Nathan, Genseek

 

 

couple of weeks ago i asked the same question and Steve has sorted for me and i did and make a plan to do it through GUI and just waiting for my manager to give me approval

 

 

I have question about post implementing testing.. how to test that the new cipher is working for the client ssl.. Do i need to used any different browsers to check or any different tool to check the new cipher is working.. appreciate if provided with test steps.

 

 

Many thanks

 

RS

 

 

A packet capture on the client or the BIG-IP might help (look for the ServerHello message), however, the client sends a list of it's supported ciphers and the server selects just one (normally the most secure) so unless you can configure a client to specifically use a cipher you have blocked it doesn't prove much.

 

 

That being the case perhaps you should clear the statistics here: Statistics > Module Statistics > Local Traffic > Profiles Summary > Client SSL just after the change and then open some connections and observe what Protocols etc are used. It still doesn't prove much unless you can get a client to connect requesting a known blocked cipher.

 

 

A better method might be to configure a ServerSSL profile with the cipher string you want and observe what ciphers it presents in the ClientHello message it will send to a host. With this, you can obviously test before the change too. But you might not consider it valid as it's not the actual ClientSSL profile that you'll be changing.

 

rsyed,

 

 

There are a nunmber of online tools for querying what cipher suites are presented by the server. Qualys do an SSL Checker, as does McAfee, so a quick google for this should give you the info you need (haven't got access to my shortcuts at the moment).

 

 

N

Thanks so very much Steve and Nathan

Thanks Nathan. For offline tools I'd imagine OpenSSL and curl might also be useful.

e.g.

 

 

How to Use the Command Line to Test Cipher Strength by CRICKEL

 

http://idlethreat.com/site/index.php/archives/181

 

 

SSL-Cipher-Check

 

http://www.unspecific.com/ssl/