cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

How to build very specific Cipher string?

Hugo_van_der_K1
Altostratus
Altostratus

How can I specify a very specific Cipher string?

The object is to only allow the ciphers below and offer them in this specific order.

 

TLS13-AES256-GCM-SHA384/TLS1.3

TLS13-CHACHA20-POLY1305-SHA256/TLS1.3

TLS13-AES128-GCM-SHA256/TLS1.3

ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2

ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2

ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2

ECDHE-RSA-AES256-GCM-SHA384/TLS1.2

ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2

ECDHE-RSA-AES128-GCM-SHA256/TLS1.2

ECDHE-RSA-AES256-CBC-SHA/TLS1.2

ECDHE-RSA-AES128-CBC-SHA/TLS1.2

 

Is this possible at all?

3 REPLIES 3

Simon_Blakely
F5 Employee
F5 Employee
'TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!TLSv1:!TLSv1_1'# tmm --clientciphers 'TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-CBC-SHA:ECDHE-RSA-AES128-CBC-SHA:!TLSv1:!TLSv1_1' ID SUITE BITS PROT CIPHER MAC KEYX 0: 4866 TLS13-AES256-GCM-SHA384 256 TLS1.3 AES-GCM NULL * 1: 4867 TLS13-CHACHA20-POLY1305-SHA256 256 TLS1.3 CHACHA20-POLY1305 NULL * 2: 4865 TLS13-AES128-GCM-SHA256 128 TLS1.3 AES-GCM NULL * 3: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_ECDSA 4: 52393 ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 256 TLS1.2 CHACHA20-POLY1305 NULL ECDHE_ECDSA 5: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_ECDSA 6: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_RSA 7: 52392 ECDHE-RSA-CHACHA20-POLY1305-SHA256 256 TLS1.2 CHACHA20-POLY1305 NULL ECDHE_RSA 8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_RSA 9: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 AES SHA ECDHE_RSA 10: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 AES SHA ECDHE_RSA

 

I removed the CBC Ciphers to be compliant with SSL Labs weak ciphers list :

 

TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!TLSv1:!TLSv1_1

In general, I would make the same recommendation, but the original request was for a specific set of ciphers. There are still some older clients that require CBC ciphers, and cannot be upgraded easily (embedded devices like Smart Meters, for example).