CirrocumulusFor example
we have cipher suite as below
| ECDHE-RSA-AES128-GCM-SHA256 (0xc02f) | SHA256 |
| ECDHE-RSA-AES128-CBC-SHA (0xc013) | SHA |
| ECDHE-RSA-AES128-SHA256 (0xc027) | SHA256 |
How can we know which cipher suit is used or not used?
Can we see how many times that cipher suit is using?
I saw F5 keep statistic about ssl exchange key algorithm (ECDHE, DES, etc) but no statistics about specific cipher suit.
MVPHello, you can restrict cipher suites selection from your clientssl/serverssl profiles.
When you're tuning it, you can list the suites allowed by your string using bash command tmm --clientciphers <string> , ex. tmm --clientciphers "DEFAULT".
With "@STRENGTH" syntax one can have the cipher negotiation start with the strongest cipher and progress to the weakest (example: "DEFAULT@STRENGTH" ).
Here's an SSL cheatsheet by the way.
Best way to determine which one is negotiated is performing a packet capture. Or, log it with an iRule.
when CLIENTSSL_CLIENTHELLO {
set client_ciphers [SSL::cipher clientlist]
log local0. "Cipher suite ID's available for negotiation (client selection): $client_ciphers"
}
when CLIENTSSL_HANDSHAKE {
set suite [SSL::cipher name]
log local0. "Selected suite: $suite"
}