For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

genseek_32178's avatar
genseek_32178
Icon for Nimbostratus rankNimbostratus
Feb 21, 2013

SSL Cipher String

Hi,   What is the procedure to change the cipher string from an existing one to a new one more stronger one? Can it be done via CLI on all https virtual servers? If yes, how, please mention the co...
basic
getting started
new to f5
What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
Feb 26, 2013

A packet capture on the client or the BIG-IP might help (look for the ServerHello message), however, the client sends a list of it's supported ciphers and the server selects just one (normally the most secure) so unless you can configure a client to specifically use a cipher you have blocked it doesn't prove much.

 

 

That being the case perhaps you should clear the statistics here: Statistics > Module Statistics > Local Traffic > Profiles Summary > Client SSL just after the change and then open some connections and observe what Protocols etc are used. It still doesn't prove much unless you can get a client to connect requesting a known blocked cipher.

 

 

A better method might be to configure a ServerSSL profile with the cipher string you want and observe what ciphers it presents in the ClientHello message it will send to a host. With this, you can obviously test before the change too. But you might not consider it valid as it's not the actual ClientSSL profile that you'll be changing.