cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

How to find which cipher suit is used or not?

kridsana
Cirrostratus
Cirrostratus

For example
we have cipher suite as below

ECDHE-RSA-AES128-GCM-SHA256 (0xc02f)SHA256
ECDHE-RSA-AES128-CBC-SHA (0xc013)SHA
ECDHE-RSA-AES128-SHA256 (0xc027)SHA256

How can we know which cipher suit is used or not used?

Can we see how many times that cipher suit is using?

I saw F5 keep statistic about ssl exchange key algorithm (ECDHE, DES, etc) but no statistics about specific cipher suit. 

1 REPLY 1

CA_Valli
Cirrocumulus
Cirrocumulus

Hello, you can restrict cipher suites selection from your clientssl/serverssl profiles. 
When you're tuning it, you can list the suites allowed by your string using bash command tmm --clientciphers <string> , ex. tmm --clientciphers "DEFAULT".

With "@STRENGTH" syntax one can have the cipher negotiation start with the strongest cipher and progress to the weakest (example: "DEFAULT@STRENGTH" ).
Here's an SSL cheatsheet by the way. 

Best way to determine which one is negotiated is performing a packet capture. Or, log it with an iRule. 

 

 

 

when CLIENTSSL_CLIENTHELLO {

    set client_ciphers [SSL::cipher clientlist]
    log local0. "Cipher suite ID's available for negotiation (client selection): $client_ciphers"
}

when CLIENTSSL_HANDSHAKE {
    set suite [SSL::cipher name]
    log local0. "Selected suite: $suite"
}