Forum Discussion
CA_Valli
Feb 28, 2022MVP
Hello, you can restrict cipher suites selection from your clientssl/serverssl profiles.
When you're tuning it, you can list the suites allowed by your string using bash command tmm --clientciphers <string> , ex. tmm --clientciphers "DEFAULT".
With "@STRENGTH" syntax one can have the cipher negotiation start with the strongest cipher and progress to the weakest (example: "DEFAULT@STRENGTH" ).
Here's an SSL cheatsheet by the way.
Best way to determine which one is negotiated is performing a packet capture. Or, log it with an iRule.
when CLIENTSSL_CLIENTHELLO {
set client_ciphers [SSL::cipher clientlist]
log local0. "Cipher suite ID's available for negotiation (client selection): $client_ciphers"
}
when CLIENTSSL_HANDSHAKE {
set suite [SSL::cipher name]
log local0. "Selected suite: $suite"
}