How to build very specific Cipher string?

Question

How can I specify a very specific Cipher string?

The object is to only allow the ciphers below and offer them in this specific order.

TLS13-AES256-GCM-SHA384/TLS1.3

TLS13-CHACHA20-POLY1305-SHA256/TLS1.3

TLS13-AES128-GCM-SHA256/TLS1.3

ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2

ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2

ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2

ECDHE-RSA-AES256-GCM-SHA384/TLS1.2

ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2

ECDHE-RSA-AES128-GCM-SHA256/TLS1.2

ECDHE-RSA-AES256-CBC-SHA/TLS1.2

ECDHE-RSA-AES128-CBC-SHA/TLS1.2

Is this possible at all?

simon_blakely · Answer

'TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!TLSv1:!TLSv1_1'# tmm --clientciphers 'TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!TLSv1:!TLSv1_1'
       ID  SUITE                            BITS PROT    CIPHER              MAC     KEYX
 0:  4866  TLS13-AES256-GCM-SHA384          256  TLS1.3  AES-GCM             NULL    *
 1:  4867  TLS13-CHACHA20-POLY1305-SHA256   256  TLS1.3  CHACHA20-POLY1305   NULL    *
 2:  4865  TLS13-AES128-GCM-SHA256          128  TLS1.3  AES-GCM             NULL    *
 3: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  AES-GCM             SHA384  ECDHE_ECDSA
 4: 52393  ECDHE-ECDSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_ECDSA
 5: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  AES-GCM             SHA256  ECDHE_ECDSA
 6: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  AES-GCM             SHA384  ECDHE_RSA
 7: 52392  ECDHE-RSA-CHACHA20-POLY1305-SHA256   256  TLS1.2  CHACHA20-POLY1305   NULL    ECDHE_RSA
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  AES-GCM             SHA256  ECDHE_RSA
 9: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  AES                 SHA     ECDHE_RSA
10: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  AES                 SHA     ECDHE_RSA

jean-michel_aud · Answer

I removed the CBC Ciphers to be compliant with SSL Labs weak ciphers list :

TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1:!TLSv1_1

simon_blakely · Answer

In general, I would make the same recommendation, but the original request was for a specific set of ciphers. There are still some older clients that require CBC ciphers, and cannot be upgraded easily (embedded devices like Smart Meters, for example).

Forum Discussion

How to build very specific Cipher string?

3 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Chrome V 124+ on MacOS - Virtual Server Access Issue

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Related Content

Disabling Specific Weak Cipher Suites

Cipher Suites Supported (12.1.5.3)

LTM Cipher rule

Cipher Suite Practices and Pitfalls

Disabling Weak Ciphers