Cipher Rules And Groups in BIG-IP v13
My mother used to always tell me two things before I left for school in the morning.
- Be wary of what ciphers your application supports
- Never use the Default cipher list unless you have compatibility concerns
You may have had a different upbringing from me but my mom's lessons still apply to anyone using SSL/TLS enabled systems. We know from Señor Wagnon's Security Sidebar: Improving Your SSL Labs Test Grade how cumbersome modifying lengthy cipher strings can be to keep your SSL Labs A grade. We know as BIG-IP matures we update the DEFAULT cipher list to remove deprecated entries and introduce fancy new ones. This causes negative affects on those legacy applications we like to keep lying around. Lastly, we know that not everyone appreciates meditating in SSH sessions; pondering countless tmm --clientciphers commands to figure out what cipher string they'll need in order to get achieve an SSL Labs A+ grade. We have a solution for you.
Cipher Rules & Groups
BIG-IP version 13 introduces Cipher Rules & Groups; an alternate way to visualize, organize, and apply cipher suites to your client and ssl profiles. You still need a basic understanding of cipher strings and I recommend you review Megazone's article: Cipher Suite Practices and Pitfalls article before gallivanting through Cipher Rules & Groups; you'll stub a toe. Cipher rules and the subsequent groups that contain them allow the same boolean operators used in tmm cipher strings.
Boolean Operations in Cipher Groups
- UNION = Allow the following:
- INTERSECT = Restrict the Allowed List to the following:
- DIFFERENCE =Exclude the following from the Allowed List:
F5 includes 5 default cipher rules and applies them via 5 default cipher groups of the same name (included is the tmm command to view each cipher list used):
- f5-aes =
tmm --clientciphers AES - f5-default =
tmm --clientciphers DEFAULT - f5-ecc =
tmm --clientciphers ECDHE:ECDHE_ECDSA - f5-secure =
tmm --clientciphers ECDHE:RSA:!SSLV3:!RC4:!EXP:!DES - f5-hw_keys =
tmm --clientciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-CBC-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:RC4-SHA:RC4-MD5:DHE-RSA-DES-CBC-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA:!TLSv1:!TLSv1_1:!SSLv3:!DTLSv1
The last one related to HSM ciphers was crazy long wasn't it. This is why we built cipher rules and groups; to prevent you from banging your head on the table because you got the operand wrong somewhere after ECDHE-RSA-AES128-GCM-SHA256. The F5 provided rules and groups are read-only and should used as a reference or starting template. If you rely only on the default F5 cipher rules/groups they will change as our cryptographic requirements change and you could end up with a bunch of incompatible legacy clients.
Building A Cipher Rule
Because Cipher Rules and Groups are applied to SSL Profiles, you can find them under Local Traffic in the web GUI. Clicking into Local Traffic => Ciphers gives you two options: Cipher Rules and Cipher Groups. I'll create one Cipher Rule based on tmm cipher string ALL:SSLv3:EXPORT. This is only for display purposes to better illustrate the boolean operations when we build the Cipher Group. Current ciphers based on BIG-IP version and Hotfix are listed in the NATIVE cipher list. Remember, we have to support a lot of ciphers that may not be appropriate for public consumption.
Building Cipher Groups
Now we'll build a Cipher Group starting with the chase_all Cipher Rule, because we're gluttons for punishment. Clicking the + expands the ciphers allowed under each Cipher Rule. Adding it to the "Allow the following" element, the Cipher Audit element below will automatically update to reflect the ciphers this group will provide the Client or Server Profile. Remember, anything added in that window is performing a Boolean Union operation.
Adding the f5-aes Cipher Rule to the "Restrict the Allowed List to the following:" element which will reduce the chase_all cipher list to only ciphers common to both ALL:SSLv3:EXPORT and AES lists; performing a Boolean Intersection operation. The Cipher Audit element shows the results and we can see those pesky RC4-MD5 suites from EXPORT are gone, but ew... we have some SSLv3-enabled ciphers and we want those out. I'll create a new Cipher Rule called chase_sslv3 with the cipher string only being SSlv3. I'll add this new Cipher Rule to the "Exclude the following from the Allowed List:"; performing a Boolean Difference operation. We can also change the cipher sorting based on speed, strength, FIPS, or hardware accelerated via the Order dropdown.
Ahh.... better, now we've paired down a horribly insecure cipher list with the intersection of the AES ciphers and exclusion of the SSlv3s. Yea, we could have started with the AES Cipher Rule as the base list but that's not as fun for this demonstration. The lifecycle of a BIG-IP SSL profile requires active management of cipher suites. This demo illustrates the flexability of additive/subtractive cipher management which reduces the complexity of recreating the wheel every time someone nullifies the security of existing algorithms or hash functions.
Applying Cipher Groups to Client/Server Profiles
Open an SSL Client or Server Profile and change the configuration to advanced. The cipher list becomes available and is defaulted to a Cipher String. Now you have a radio button for Cipher Group, selecting the newly created object or click the + button to create one from scratch.
TMSH Support for Cipher Rules and Groups
We have support for tmsh commands so you can take advantage of adding cipher groups to existing profiles.
# tmsh list ltm cipher rule f5-secure all-properties
ltm cipher rule f5-secure {
app-service none
cipher ECDHE:RSA:!SSLV3:!RC4:!EXP:!DES
description "Cipher suites that maximize regulatory compliance."
partition Common
}
# tmsh show ltm cipher rule f5-secure ----------------- Ltm::Cipher::Rule ----------------- Name Result ----------------- f5-secure ECDHE-RSA-AES128-GCM-SHA256/TLS1.2:ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-GCM-SHA384/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDHE-RSA-DES-CBC3-SHA/TLS1.0:ECDHE-RSA-DES-CBC3-SHA/TLS1.1:ECDHE-RSA-DES-CBC3-SHA/TLS1.2:AES128-GCM-SHA256/TLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES256-GCM-SHA384/TLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:CAMELLIA128-SHA/TLS1.0:CAMELLIA128-SHA/TLS1.1:CAMELLIA128-SHA/TLS1.2:CAMELLIA256-SHA/TLS1.0:CAMELLIA256-SHA/TLS1.1:CAMELLIA256-SHA/TLS1.2:DES-CBC3-SHA/TLS1.0:DES-CBC3-SHA/TLS1.1:DES-CBC3-SHA/TLS1.2:DES-CBC3-SHA/DTLS1.0
# tmsh list ltm cipher group chases_cipher_group all-properties
ltm cipher group chases_cipher_group {
allow {
chase_all { }
}
app-service none
description "MY CIPHERS ARE THE BEST CIPHERS"
exclude {
chase_sslv3 { }
}
ordering default
partition Common
require {
f5-aes { }
}
}
# tmsh show ltm cipher group chases_cipher_group --------------------------- Ltm::Cipher::Group --------------------------- Name Result --------------------------- chases_cipher_group ECDHE-RSA-AES128-CBC-SHA/TLS1.0:ECDHE-RSA-AES128-CBC-SHA/TLS1.1:ECDHE-RSA-AES128-CBC-SHA/TLS1.2:ECDHE-RSA-AES128-SHA256/TLS1.2:ECDHE-RSA-AES256-CBC-SHA/TLS1.0:ECDHE-RSA-AES256-CBC-SHA/TLS1.1:ECDHE-RSA-AES256-CBC-SHA/TLS1.2:ECDHE-RSA-AES256-SHA384/TLS1.2:ECDH-RSA-AES128-SHA256/TLS1.2:ECDH-RSA-AES128-SHA/TLS1.0:ECDH-RSA-AES128-SHA/TLS1.1:ECDH-RSA-AES128-SHA/TLS1.2:ECDH-RSA-AES256-SHA384/TLS1.2:ECDH-RSA-AES256-SHA/TLS1.0:ECDH-RSA-AES256-SHA/TLS1.1:ECDH-RSA-AES256-SHA/TLS1.2:AES128-SHA/TLS1.0:AES128-SHA/TLS1.1:AES128-SHA/TLS1.2:AES128-SHA/DTLS1.0:AES128-SHA256/TLS1.2:AES256-SHA/TLS1.0:AES256-SHA/TLS1.1:AES256-SHA/TLS1.2:AES256-SHA/DTLS1.0:AES256-SHA256/TLS1.2:ECDHE-ECDSA-AES128-SHA/TLS1.0:ECDHE-ECDSA-AES128-SHA/TLS1.1:ECDHE-ECDSA-AES128-SHA/TLS1.2:ECDHE-ECDSA-AES128-SHA256/TLS1.2:ECDHE-ECDSA-AES256-SHA/TLS1.0:ECDHE-ECDSA-AES256-SHA/TLS1.1:ECDHE-ECDSA-AES256-SHA/TLS1.2:ECDHE-ECDSA-AES256-SHA384/TLS1.2:ECDH-ECDSA-AES128-SHA/TLS1.0:ECDH-ECDSA-AES128-SHA/TLS1.1:ECDH-ECDSA-AES128-SHA/TLS1.2:ECDH-ECDSA-AES128-SHA256/TLS1.2:ECDH-ECDSA-AES256-SHA/TLS1.0:ECDH-ECDSA-AES256-SHA/TLS1.1:ECDH-ECDSA-AES256-SHA/TLS1.2:ECDH-ECDSA-AES256-SHA384/TLS1.2:DHE-RSA-AES128-SHA/TLS1.0:DHE-RSA-AES128-SHA/TLS1.1:DHE-RSA-AES128-SHA/TLS1.2:DHE-RSA-AES128-SHA/DTLS1.0:DHE-RSA-AES128-SHA256/TLS1.2:DHE-RSA-AES256-SHA/TLS1.0:DHE-RSA-AES256-SHA/TLS1.1:DHE-RSA-AES256-SHA/TLS1.2:DHE-RSA-AES256-SHA/DTLS1.0:DHE-RSA-AES256-SHA256/TLS1.2:DHE-DSS-AES128-SHA/TLS1.0:DHE-DSS-AES128-SHA/TLS1.1:DHE-DSS-AES128-SHA/TLS1.2:DHE-DSS-AES128-SHA/DTLS1.0:DHE-DSS-AES128-SHA256/TLS1.2:DHE-DSS-AES256-SHA/TLS1.0:DHE-DSS-AES256-SHA/TLS1.1:DHE-DSS-AES256-SHA/TLS1.2:DHE-DSS-AES256-SHA/DTLS1.0:DHE-DSS-AES256-SHA256/TLS1.2:ADH-AES128-SHA/TLS1.0:ADH-AES256-SHA/TLS1.0
# tmsh list ltm profile client-ssl chases_ssl_client_profile
ltm profile client-ssl chases_ssl_client_profile {
app-service none
cert default.crt
cert-key-chain {
default {
cert default.crt
key default.key
}
}
chain none
cipher-group chases_cipher_group
ciphers none
defaults-from clientssl
inherit-certkeychain true
key default.key
passphrase none
}
# tmsh list ltm profile server-ssl chases_ssl_server_profile
ltm profile server-ssl chases_ssl_server_profile {
app-service none
cipher-group chases_cipher_group
ciphers none
defaults-from serverssl
}
Validating Your Ciphers With NMAP
A lot of users are not always comfortable with how we output our cipher lists. NMAP provides a user-preferred display using the ssl-enum-ciphers script. In this case, we'll check out SSL Labs web server's ciphers. Run the following:
$ nmap -Pn -sT www.ssllabs.com -p 443 --script ssl-enum-ciphers Starting Nmap 6.40 at 2017-02-24 11:22 PST Nmap scan report for www.ssllabs.com (64.41.200.100) Host is up (0.035s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | compressors: | NULL | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | compressors: | NULL |_ least strength: strong Nmap done: 1 IP address (1 host up) scanned in 2.73 seconds
Hopefully this overview and mini-demo got you pondering how you can improve cipher management in your infrastructure. As the crypto world discovers new ways to compromise math, we have to keep on our toes more than ever. Google Research and CWI Amsterdam just published the first real world hash collision for SHA-1 proving we need to stay informed. The idea is simple, create Cipher Rules based on your needs and reuse them against application or security policy-centric Cipher Groups. Segregating Cipher management from Client and Server SSL Profiles creates a more flexibility for application owners and should reduce the cipher string headache every time there's a new vulnerability. Drop us a line on your thoughts and let us know if we're going down the right path or if ther are other things you wish to see related to cipher management.
Keep it real.
Updated Jun 06, 2023
Version 2.0
Chase_Abbott
Employee
Employee- Chase_Abbott
Thanks for the folow up Piotr!
dragonflymrCirrostratus
Hi Chase,
No problem :-)
Do you know by chance how DH Groups and Signature Algorithms (new fields in v14) can be used when creating Cipher Rule?
Piotr
- Chase_Abbott
I don't. Haven't installed it yet but that's on my short list to do.
- MegaZone
SIRT
Those new fields are for TLSv1.3, which is only Draft 26 support in 14.0.x, so not that useful yet. (14.1.0 should have RFC TLSv1.3 support.) They're part of the changes in TLSv1.3 - the signature algorithm is no longer specified as part of the cipher suite, and you can now specify the parameters for (EC)DH(E).
- dragonflymr
Hi,
Thanks a lot for info. I was not able to find any info on AskF5 :-(
Piotr
Cyril_MAltostratus
It's good to know that you provide fine tuning for people who want to go deep in cipher management, but I would also appreciate a more intuitive approach for those who don't want to spend too much time in deciding what is good or wrong, based on Mozilla's recommandations for instance : max compatibility (not recommended) / Intermediate / Modern (max security) / Custom...
I'm surprised to see that in v14 the default "Clientssl" profile comes with the "No TLSv1.3" option enabled, why did you chose to exclude it by default ?
Also, why does the Cipher Rule "f5-default" comes with TLS1.3 whereas "f5-secure" doesn't use it ? I would have expected the opposite
Thanks anyway for the effort
- Chase_Abbott
Hi ;
Popular browsers are commonly ahead of enterprise application development. Those updates can cause as many disruptions to internal infrastructure as well as larger SaaS solutions that still rely on existing and established security standards & practices. This article was written for v13 which predated a lot of recent public and private browser behavior changes and security recommendations. I'll check out updating it for v15 if there are discrepancies.
In another article series I brought up a case where Google Chrome devs made an arbitrary and not-widely communicated decision to drop secp521r1 simply because they didn't see many people using it. But given it was ECC and performance was not a hindering factor, a lot of high security departments implemented internally (and because it was in the approved lists at the time). Google's decision broke entire internal CA infrastructure. Those companies rely on best practices and not what Google or Mozilla decide for us.
Mozilla's recommendations are geared towards trending-edge security which is great from forward thinking perspective or smaller lightweight apps that can update quickly but we've also seen those recommendations break as many applications and possibly cause performance issues when people didn't understand the ramifications of new settings on existing systems during high volume traffic. If you note the modern config on Mozilla's config generator states "Services with clients that support TLS 1.3 and don't need backward compatibility". That backward compatibility is often required by industries and Fed sectors that hard lock a specific vendor configuration.
Regarding v14's support of TLS 1.3. Megazone's comment in this article from last year correctly stated that we released v14 prior to TLS 1.3 moving out of draft 26.
"Those new fields are for TLSv1.3, which is only Draft 26 support in 14.0.x, so not that useful yet. (14.1.0 should have RFC TLSv1.3 support.) They're part of the changes in TLSv1.3 - the signature algorithm is no longer specified as part of the cipher suite, and you can now specify the parameters for (EC)DH(E)." - Megazone
14.1.0.1+ supports the the RFC 8446 for TLS 1.3. More here: K10251520
In v14.1.0.1+ if you run tmm --clientciphers tlsv1_3 you get:
ID SUITE BITS PROT CIPHER MAC KEYX 0: 4865 TLS13-AES128-GCM-SHA256 128 TLS1.3 AES-GCM NULL * 1: 4866 TLS13-AES256-GCM-SHA384 256 TLS1.3 AES-GCM NULL * 2: 4867 TLS13-CHACHA20-POLY1305-SHA256 256 TLS1.3 CHACHA20-POLY1305 NULL *The good question/discussion you bring up is related to f5-default and f5-secure... the rule of thumb within the DevCentral community and F5's support is to use default or whatever prebuilt cipher list as a starting point and not rely on them as your configuration source of truth. The cipher suites can and usually change with each version and sometimes hotfix and you don't want dynamically updating cipher suites for your applications: start with default or secure and work from there. You definitely don't want to be using default and have it change and your application break because of a hot fix upgrade. That's why this article was written, to make managing cipher suites easier for the non-security professional.
Your discussion that you want a think a more intuitive approach for those who don't want to spend too much time in deciding what is good or wrong is very valid and makes a lot of sense for current application developers. That's something we can bring back to dev groups and discuss and a lot of this functionality grew out of the many industries we have to support, not just software applications. It could be time to review or name things a bit nicer OR even include a few new cipher lists that have app dev in mind.
Thanks for commenting, it was a good discussion point to an article written a while ago and probably needs some dusting off.
- Cyril_M
Thanks a lot Chase, for both your interesting article and feedback ! I learned a lot.
The reason I'm putting this on the table is because I just upgraded from v12 to v14.1.2 and a lot of warnings were raised in the upgrade log file related to Ciphers in SSL profiles, The upgrade procedure created a new server SSL profile by the name my first https monitor in the alphabetical order, and applied it to all my https monitors ... That was kind of an unexpected behavior, so I did my researches and ended up here, wondering what was the best way to move back closer to the F5 standards :)
And I must confess I'm still not sure about the best config I can make, because your exemple shows what can be done with the new tool, but not what should be done to get an A at Qualys scan for instance ...
BTW, that could also be a way to make the cipher list management more user-friendly to sort them by Qualys rating "as of the day of the tmos release". Today that's how I proceed, by publishing a test website online and running the scan to see if my SSL profile is fine, but it takes time and it requires a public access to the website, not everyone have both :)
- dragonflymr
Hi,
@Chase - great explanation!
Just small note for people using vCMP - it was a bit surprise for me, so maybe worth sharing :-) According to K10251520: BIG-IP support for TLS 1.3 if you want to use TLS 1.3 on vCMP guest you need both host and guest running at least 14.1.0.1. Not obvious part is that 14.1.x.x is required as well for host.
Piotr
- Chase_Abbott
Good point! 14.1.0.1+ for everything to properly support it (my screen shot was of v15 but it's the same as v14 so c'est la vie).
Your upgrade from 12 to 14.1.2 had a lot of security happenings between those versions and your experience was definitely odd. Were you using the default ServerSSL profile? My rule of thumb from experience (on version 10 when we tested the first Exchange 2010 iApp) was to create all new profiles and break inheritance for any potential impacting settings. That was something learned the hard way even with the developers 100 meters away.
Regarding the SSL Labs A grade, I like this idea and will explore it further with my team and possibly support. Given current BIG-IP releases are spaced farther apart than SSL Labs updates sometimes, we can either cover it in documentation and include maybe a cipher group config output or something. I like this idea though of reexamining our cipher groups and maybe naming better aligned to the suites contained within.
Good ideas all around and it would definitly make the features easier to understand and use!
