cancel
Showing results for 
Search instead for 
Did you mean: 

How to test cipher suite strength?

Julio_Navarro
Cirrostratus
Cirrostratus

Hello,

I am looking for a different (if available) way to test a client-ssl profile and its cipher suite configured besides using openssl against a VIP with the profile in question....?

Important - considering the options set

Is this possible? Its just looking for alternatives. Thank you

 

Thank you

For example:

 

ltm profile client-ssl test_clientssl {   app-service none   cert default.crt   cert-key-chain {     default_default {       cert default.crt       key default.key     }   }   chain none   ciphers DEFAULT:!NULL:!LOW:!EXP:!DH:!ADH:!EDH:!RC4:!MD5:!3DES:!AES128-SHA:!AES256-SHA:!RSA:@STRENGTH   defaults-from clientssl   inherit-certkeychain false   key default.key   options { netscape-reuse-cipher-change-bug microsoft-big-sslv3-buffer msie-sslv2-rsa-padding ssleay-080-client-dh-bug tls-d5-bug tls-block-padding-bug dont-insert-empty-fragments no-ssl no-dtls no-session-resumption-on-renegotiation no-tlsv1.1 single-dh-use ephemeral-rsa cipher-server-preference tls-rollback-bug no-sslv2 no-sslv3 no-tlsv1 pkcs1-check-1 pkcs1-check-2 netscape-ca-dn-bug netscape-demo-cipher-change-bug }   passphrase none }

 

7 REPLIES 7

Hello Julio.

 

You can check what ciphers are going to be assigned by the F5 in the client-side using this:

# tmm --clientciphers 'DEFAULT:!NULL:!LOW:!EXP:!DH:!ADH:!EDH:!RC4:!MD5:!3DES:!AES128-SHA:!AES256-SHA:!RSA:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 6: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 7: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 8: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 9: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA

KR,

Dario.

Regards,
Dario.

Thanks Dario!

How about "how to apply the options portion of the profile":

 

options { netscape-reuse-cipher-change-bug microsoft-big-sslv3-buffer msie-sslv2-rsa-padding ssleay-080-client-dh-bug tls-d5-bug tls-block-padding-bug dont-insert-empty-fragments no-ssl no-dtls no-session-resumption-on-renegotiation no-tlsv1.1 single-dh-use ephemeral-rsa cipher-server-preference tls-rollback-bug no-sslv2 no-sslv3 no-tlsv1 pkcs1-check-1 pkcs1-check-2 netscape-ca-dn-bug netscape-demo-cipher-change-bug }

 

 

 

'Options' are specific features to increase security. The better way is to enable all that you can.

REF - https://devcentral.f5.com/s/articles/ssl-profiles-part-5-ssl-options

 

KR,

Dario.

Regards,
Dario.

Julio_Navarro
Cirrostratus
Cirrostratus

Thanks Dario and Nixo1n for your quick replies.

Basically I am looking for the available cipher suites....

For example,

I would like to run a command and be able to get this against a profile:

# TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)  ECDH x25519 (eq. 3072 bits RSA)  FS 128

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)  ECDH x25519 (eq. 3072 bits RSA)  FS 256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 128

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 128

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  ECDH x25519 (eq. 3072 bits RSA)  FS  WEAK 256

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)  WEAK 128

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)  WEAK 256

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)  WEAK 128

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)  WEAK 256

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK 128

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)  WEAK 256

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)  WEAK 256

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)  WEAK 128

 

 

 

This will show all possible cipher configured in the profile (taking into consideration the "options" portion)

 

 

 

 

Hello Julio.

 

Sorry, but this doesn't make sense.

 

The cipher involves the F5, but 'options' normally refers to client application vulnerabilities.

 

An example:

"Netscape CA DN bug workaround: This option handles a defect regarding system instability. The system crashes or hangs if the following conditions are met: 1) the system accepts a Netscape browser connection, 2) the system demands a client certificate, 3) the system has a non-self-signed CA that does not have its CA in Netscape, and 4) the browser has a certificate. This option is in place to ensure the system does not crash or hang."

 

So in your previous capture you only have into account the cipher strength, not the options.

 

To test one specific platform you would need to test it from all the different clients possible and depending on that, you would have a complete list o how your enviroment behaves to those queries.

 

There are some applications like Qualys that allow you to test your public site from different clients, but this is far to be an official security audit of your F5 SSL strength. Take into account that some people works (for money) performing security auditories, and it's not only to put a command a CLI 😊.

 

Hope this it helps.

 

KR,

Dario.

Regards,
Dario.

BTW, there other similar tools like nmap that could allow you to perform web tests like Qualys but from inside of your network.

nmap -sV --script ssl-enum-ciphers -p 443 <host>

To execute it, you need to download this script:

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

Regards,
Dario.

Thank you Dario!