Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

How to find which cipher suit is used or not?

kridsana
Cirrocumulus
Cirrocumulus

‎24-Feb-2022 09:44

For example
we have cipher suite as below

ECDHE-RSA-AES128-GCM-SHA256 (0xc02f)SHA256
ECDHE-RSA-AES128-CBC-SHA (0xc013)SHA
ECDHE-RSA-AES128-SHA256 (0xc027)SHA256

How can we know which cipher suit is used or not used?

Can we see how many times that cipher suit is using?

I saw F5 keep statistic about ssl exchange key algorithm (ECDHE, DES, etc) but no statistics about specific cipher suit. 

Labels:
0 Kudos
1 REPLY 1

CA_Valli
MVP
MVP

‎28-Feb-2022 01:43 - edited ‎28-Feb-2022 01:49

Hello, you can restrict cipher suites selection from your clientssl/serverssl profiles. 
When you're tuning it, you can list the suites allowed by your string using bash command tmm --clientciphers <string> , ex. tmm --clientciphers "DEFAULT".

With "@STRENGTH" syntax one can have the cipher negotiation start with the strongest cipher and progress to the weakest (example: "DEFAULT@STRENGTH" ).
Here's an SSL cheatsheet by the way. 

Best way to determine which one is negotiated is performing a packet capture. Or, log it with an iRule. 

 

 

 

when CLIENTSSL_CLIENTHELLO {

    set client_ciphers [SSL::cipher clientlist]
    log local0. "Cipher suite ID's available for negotiation (client selection): $client_ciphers"
}

when CLIENTSSL_HANDSHAKE {
    set suite [SSL::cipher name]
    log local0. "Selected suite: $suite"
}

 

 

 

0 Kudos
Copyright © 2023 Khoros, LLC