For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brian_Dean's avatar
Brian_Dean
Icon for Nimbostratus rankNimbostratus
Jun 29, 2015

SSL Client Profile Cipher Suites

I'm working on a project to re-order the client-side cipher suites on phases. Here is the ssl client profiles base configuraiton:   -ALL:!ADH:!LOW:!EXP:!SSLv2:!NULL:RC4:RSA:HIGH:MEDIUM   We ca...
application delivery
design
LTM
security
Brian_Dean's avatar
Brian_Dean
Icon for Nimbostratus rankNimbostratus
Oct 13, 2015

We have completed this project so I thought I'd follow-up with what we finalized on.

 

We've set the default clientssl SSL client profiles ciphers value to this: !ADH:!LOW:!EXP:!SSLv2:!SSLv3:!DTLSv1:!NULL:!MD5:!RC4:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA:!DHE-RSA-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA:ECDHE_ECDSA:ECDHE+TLSv1_2:-SHA:ECDHE_ECDSA+SHA+TLSv1_2:ECDHE+SHA+TLSv1_2:HIGH+TLSv1_2:MEDIUM+TLSv1_2:ECDHE_ECDSA+SHA+TLSv1_1:ECDHE+SHA+TLSv1_1:HIGH+TLSv1_1:MEDIUM+TLSv1_1:ECDHE+SHA+TLSv1:HIGH+TLSv1:MEDIUM+TLSv1

 

You'll be able to see how this string orders the ciphers and protocols by using the tmm --clientciphers command on the BIG-IP. This configuration eliminates the "obsolete cryptography" message recent versions of Chrome would show users. It also provides forward secrecy support for all modern desktop and mobile browsers. Along with preferring the TLS 1.2, TLS 1.1 and TLS 1.0 protocols in that order along with removing SSL 2.0 and SSL 3.0 support. And produces an beautiful overall rating of A from SSL Labs.

 

There are obviously other profile settings that need to be addressed. But settling on what this cipher string should be was the most time consuming IMHO.