For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

lorenze's avatar
lorenze
Icon for Altocumulus rankAltocumulus
Jan 27, 2021

Enable additional ciphers

Hi Folks, I'm fairly new to F5 and was wondering if we can add additional ciphers to through our ssl profiles. Currently we have Big-IP 11.5.4 and for client and server ssl profile we have t...
application delivery
BIG-IP
security
lorenze's avatar
lorenze
Icon for Altocumulus rankAltocumulus
Jan 27, 2021

Hello  ,

 

Thank you for your response. I will try to update the cipher string on my client ssl profile to this one:

 

DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE+ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3

 

and see if that gives me the cipher that we need. I'll update here on how it goes.

 

 

Thanks!

Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Jan 27, 2021

Hello Lorenze.

Put this in your CLI:

tmm --clientciphers DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3

If this output shows 'ECDHE-ECDSA' ciphers, then those should be included during TLS handshake.

To validate this, take a traffic capture during those tests and check the TLS client hello to see if those ciphers are included during negotiation.

Regards,

Dario.