Forum Discussion
chester_16314
Mar 09, 2012Nimbostratus
SSL Profiles and Strength
Hoping this is the right group within which to pose this question.
When I view my ssl certificate summary in Chrome for instance, it says "your connection to xyz is encrypted with 128-bit encryption"
I recently just installed a new digital certificate that supports 256 bit encryption. Maybe I'm naive, but shouldn't I be able to elevate up from 128 if my browser (talking https here) can support it?
Here's another way of asking the same thing. Should I have something set differently in the BigIP to default to the highest level possible or should I be changing a client browser setting to increase my rate?
A little education is appreciated.
- nitassEmployeebut shouldn't I be able to elevate up from 128 if my browser (talking https here) can support it?you have to modify ciphers setting in clientssl profile.
- chester_16314NimbostratusThanks for the links, that was good information and it validated some of what I've been doing. I had already augmented the ciphers to block some that I didn't want to support. Essentially, for strength I've blocked low and still support Medium and High.
- nitassEmployeeyou can use @STRENGTH instead of @SPEED.
[root@ve1023:Active] config tmm --clientciphers '!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 2: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 3: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 4: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 5: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 6: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 7: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 8: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 9: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 10: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 11: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 12: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 13: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 14: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 15: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 16: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA [root@ve1023:Active] config tmm --clientciphers '!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 3: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 4: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 5: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 6: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 7: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 8: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 9: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA 10: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA 11: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 12: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 13: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 14: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 15: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 16: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
- chester_16314NimbostratusGreat, that worked! So as a follow up, does doing this make any sense? I wanted to prove I could make use of the 256 bit key, but in reality is there really any added security to offset that performance hit?
- nitassEmployeei do not have an answer for you but just thinking key length is not an only factor - algorithm has also effect.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects