Forum Discussion
chester_16314
Nimbostratus
NimbostratusSSL Profiles and Strength
Hoping this is the right group within which to pose this question.
When I view my ssl certificate summary in Chrome for instance, it says "your connection to xyz is encrypted with 128-bit encryption"
I recently just installed a new digital certificate that supports 256 bit encryption. Maybe I'm naive, but shouldn't I be able to elevate up from 128 if my browser (talking https here) can support it?
Here's another way of asking the same thing. Should I have something set differently in the BigIP to default to the highest level possible or should I be changing a client browser setting to increase my rate?
A little education is appreciated.
nitassEmployee
but shouldn't I be able to elevate up from 128 if my browser (talking https here) can support it?you have to modify ciphers setting in clientssl profile.
sol7815: Configuring the cipher strength for SSL profiles (9.x - 10.x)
http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7815.html
just in case this is for config utility (webui).
sol6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x)
http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6768.html
Should I have something set differently in the BigIP to default to the highest level possible or should I be changing a client browser setting to increase my rate?since we can't control all client, i prefer setting it on bigip side.
chester_16314Thanks for the links, that was good information and it validated some of what I've been doing. I had already augmented the ciphers to block some that I didn't want to support. Essentially, for strength I've blocked low and still support Medium and High.
As I read that post, it appears that the BigIP will 'support' the medium and high ciphers. Is there a way I can order the ciphers so that if the client supports high it uses it? Perhaps this is something that has to be done with an iRule, changing the VS or profile based on the capability of the client? Directing the client to the profile that supports ONLY high if they can support it.
This is not for the config utility by the way, but thanks for offering that up.- nitassyou can use @STRENGTH instead of @SPEED.
this is 10.2.3.[root@ve1023:Active] config tmm --clientciphers '!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 2: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 3: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 4: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 5: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 6: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 7: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 8: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 9: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 10: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 11: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 12: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 13: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 14: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 15: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 16: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA [root@ve1023:Active] config tmm --clientciphers '!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 3: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 4: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 5: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 6: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 7: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 8: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 9: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 10: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 11: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 12: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 13: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 14: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 15: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 16: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA - chester_16314Great, that worked! So as a follow up, does doing this make any sense? I wanted to prove I could make use of the 256 bit key, but in reality is there really any added security to offset that performance hit?
- nitassi do not have an answer for you but just thinking key length is not an only factor - algorithm has also effect.
BEAST is one example.
sol13400: SSL 3.0 / TLS 1.0 "BEAST" vulnerability CVE-2011-3389
http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13400.html
just my 2c.