Forum Discussion

Julio_Navarro's avatar
Julio_Navarro
Icon for Cirrostratus rankCirrostratus
Apr 02, 2020

How to test cipher suite strength?

Hello,

I am looking for a different (if available) way to test a client-ssl profile and its cipher suite configured besides using openssl against a VIP with the profile in question....?

Important - considering the options set

Is this possible? Its just looking for alternatives. Thank you

Thank you

For example:

ltm profile client-ssl test_clientssl {
  app-service none
  cert default.crt
  cert-key-chain {
    default_default {
      cert default.crt
      key default.key
    }
  }
  chain none
  ciphers DEFAULT:!NULL:!LOW:!EXP:!DH:!ADH:!EDH:!RC4:!MD5:!3DES:!AES128-SHA:!AES256-SHA:!RSA:@STRENGTH
  defaults-from clientssl
  inherit-certkeychain false
  key default.key
  options { netscape-reuse-cipher-change-bug microsoft-big-sslv3-buffer msie-sslv2-rsa-padding ssleay-080-client-dh-bug tls-d5-bug tls-block-padding-bug dont-insert-empty-fragments no-ssl no-dtls no-session-resumption-on-renegotiation no-tlsv1.1 single-dh-use ephemeral-rsa cipher-server-preference tls-rollback-bug no-sslv2 no-sslv3 no-tlsv1 pkcs1-check-1 pkcs1-check-2 netscape-ca-dn-bug netscape-demo-cipher-change-bug }
  passphrase none
}

7 Replies

Sort By
  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for MVP rankMVP
    Apr 02, 2020

    Hello Julio.

    You can check what ciphers are going to be assigned by the F5 in the client-side using this:

    # tmm --clientciphers 'DEFAULT:!NULL:!LOW:!EXP:!DH:!ADH:!EDH:!RC4:!MD5:!3DES:!AES128-SHA:!AES256-SHA:!RSA:@STRENGTH'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 1: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
 2: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
 3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
 5: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 6: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
 7: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA
 8: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA
 9: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA

    KR,

    Dario.

    • Julio_Navarro's avatar
      Julio_Navarro
      Icon for Cirrostratus rankCirrostratus
      Apr 02, 2020

      Thanks Dario!

      How about "how to apply the options portion of the profile":

       

      options { netscape-reuse-cipher-change-bug microsoft-big-sslv3-buffer msie-sslv2-rsa-padding ssleay-080-client-dh-bug tls-d5-bug tls-block-padding-bug dont-insert-empty-fragments no-ssl no-dtls no-session-resumption-on-renegotiation no-tlsv1.1 single-dh-use ephemeral-rsa cipher-server-preference tls-rollback-bug no-sslv2 no-sslv3 no-tlsv1 pkcs1-check-1 pkcs1-check-2 netscape-ca-dn-bug netscape-demo-cipher-change-bug }

       

       

       

  • Julio_Navarro's avatar
    Julio_Navarro
    Icon for Cirrostratus rankCirrostratus
    Apr 03, 2020

    Thanks Dario and Nixo1n for your quick replies.

    Basically I am looking for the available cipher suites....

    For example,

    I would like to run a command and be able to get this against a profile:

    # TLS 1.2 (suites in server-preferred order)

    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)  ECDH x25519 (eq. 3072 bits RSA)  FS 128

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)  ECDH x25519 (eq. 3072 bits RSA)  FS 256

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 128

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 256

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 128

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 256

    TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)  WEAK 128

    TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)  WEAK 256

    TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)  WEAK 128

    TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)  WEAK 256

    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK 128

    TLS_RSA_WITH_AES_256_CBC_SHA (0x35)  WEAK 256

    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)  WEAK 256

    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)  WEAK 128

     

     

     

    This will show all possible cipher configured in the profile (taking into consideration the "options" portion)

     

     

     

     

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP
      Apr 03, 2020

      Hello Julio.

       

      Sorry, but this doesn't make sense.

       

      The cipher involves the F5, but 'options' normally refers to client application vulnerabilities.

       

      An example:

      "Netscape CA DN bug workaround: This option handles a defect regarding system instability. The system crashes or hangs if the following conditions are met: 1) the system accepts a Netscape browser connection, 2) the system demands a client certificate, 3) the system has a non-self-signed CA that does not have its CA in Netscape, and 4) the browser has a certificate. This option is in place to ensure the system does not crash or hang."

       

      So in your previous capture you only have into account the cipher strength, not the options.

       

      To test one specific platform you would need to test it from all the different clients possible and depending on that, you would have a complete list o how your enviroment behaves to those queries.

       

      There are some applications like Qualys that allow you to test your public site from different clients, but this is far to be an official security audit of your F5 SSL strength. Take into account that some people works (for money) performing security auditories, and it's not only to put a command a CLI 😊.

       

      Hope this it helps.

       

      KR,

      Dario.