F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

kridsana's avatar
kridsana
Icon for Cirrocumulus rankCirrocumulus
Feb 24, 2022

How to find which cipher suit is used or not?

For example we have cipher suite as below ECDHE-RSA-AES128-GCM-SHA256 (0xc02f) SHA256 ECDHE-RSA-AES128-CBC-SHA (0xc013) SHA ECDHE-RSA-AES128-SHA256 (0xc027) SHA256 How can we know w...
application delivery
cipher
ssl
suit
CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Feb 28, 2022

Hello, you can restrict cipher suites selection from your clientssl/serverssl profiles. 
When you're tuning it, you can list the suites allowed by your string using bash command tmm --clientciphers <string> , ex. tmm --clientciphers "DEFAULT".

With "@STRENGTH" syntax one can have the cipher negotiation start with the strongest cipher and progress to the weakest (example: "DEFAULT@STRENGTH" ).
Here's an SSL cheatsheet by the way. 

Best way to determine which one is negotiated is performing a packet capture. Or, log it with an iRule. 

 

 

 

when CLIENTSSL_CLIENTHELLO {

    set client_ciphers [SSL::cipher clientlist]
    log local0. "Cipher suite ID's available for negotiation (client selection): $client_ciphers"
}

when CLIENTSSL_HANDSHAKE {
    set suite [SSL::cipher name]
    log local0. "Selected suite: $suite"
}