SSL Encryption

Lowest I see through the "New SSL Certificate" section of the Config Utility is 512. You're talking about terminating SSL connections, right?

Right,

 

it's about SSL termination.

 

 

Certificate key length supports 512-4096. Default ciphers in 10.2 no longer include MD5 hash:

 

 

Cipher Bits Protocols

 

RC4-SHA 128 SSL3, TLS1

 

AES128-SHA 128 SSL3, TLS1, DTLS1

 

AES256-SHA 256 SSL3, TLS1, DTLS1

 

DES-CBC3-SHA 192 SSL3, TLS1, DTLS1

 

 

So if you're looking for a 256 cipher, yes, the AES256-SHA cipher is included by default. If you need others, you can amend the ciphers list in your ssl profile.

Thanks for reply

 

Where can i define or choose AES256-SHA 256 SSL3, TLS1, DTLS1 in ssl profile.

 

my case is i purchase ssl certifcate has 256 Encryption. when i install this. i show in browser Public key RSA(2048)

 

Jco: that's the public key length, which is a different thing. The ciphers come into play after the negotiation takes place. The 256 encryption you're using is used for the encryption of the data - the handshake is used to negotiate the encryption cipher and length, which is where your 256 bits comes into play.

 

 

I hope this makes sense.

 

 

-Matt

Did you generate your key on the LTM? If so, you just need to import the certificate you purchased under Local Traffic->SSL Certificate List -> Import. If not, then you'll need to import both key & certificate (same location). Once that is in place, you'll need to create a clientssl profile that references your certificate. You can specify the cipher to be only AES256-SHA in the ssl profile ciphers section, but it's atypical to limit clients to just one, you might prevent some clients from connecting. Of course, if it's a security requirement for that particular application, then the clients will be knowledgeable on this I suppose, or at least the administrators of those clients will be.

What means when i set cipher value as DEFAULT ?

 

i need that user's browser with 128 bits encryption or 256 bits perform connection.

 

can i define following values in cipher section

 

RC4-SHA

 

AES128-SHA

 

AES256-SHA

 

DES-CBC3-SHA

 

 

thanks

 

 

 

You can use tmm --clientciphers 'CIPHER_STRING' to see what ciphers will be included for a given cipher string. Here are a few related posts:

 

 

Specifying Ciphers in Client SSL Profiles

 

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/afv/topic/aft/1172861/aff/31/showtab/groupforums/Default.aspx

 

 

Best practice for ssl ciphers

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=1168042&ptarget=1168059

 

 

Aaron

Part 4 of the SSL Profiles series I'm writing summarizes a lot of this excellent information I've gleaned from the forums:

 

 

http://links.f5.com/groUSB Click Here

i usually set ciphers according to sol7815 which blocks anonymous ciphers and connections using 128-bit ciphers or less

 

 

sol7815 configuring the cipher strength for ssl profiles

 

http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7815.html