Cipher Suite Practices and Pitfalls
Updated Jun 06, 2023
Version 3.0Was this article helpful?
Oh wow, this is such a fantastic article. I was actually attempting to block protocols using the cipher string, definitely changing my approach now.
One of my LTMs runs BIG-IP v11.4.1 and on this I wanted to purely use ECDHE key exchange with only TLS1.2. I was thinking that I would use ECDHE+AES then use the Options list to block TLS1, TLS1.1, DTLS, SSLv2 and SSLv3.
tmm --clientciphers 'ECDHE+AES'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
1: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
2: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
5: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
And to see what happens when I disable TLS1 and TLS1.1:
tmm --clientciphers 'ECDHE+AES:!TLSv1:!TLSv1_1'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
1: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
I noticed that I could also do:
tmm --clientciphers 'ECDHE+AES+TLSv1_2'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
1: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
Is this a good idea to add +TLSv1_2 to the string? I can't see any pitfalls to this but I'm not super experienced with cipher strings.