LTM Cipher rule

Question

Hello:I've been asked to allow just some security protocols but I think there is not any manual way to just select these.I've tried creating a cipher rule or trying to select using the cipher group.Is this even possible?TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256&nbsp;&nbsp;Kind regards.

ca_valli · Accepted Answer

So, I ran this string :
&nbsp;
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256
&nbsp;
&nbsp;
This should be exactly what you need (BIG-IP 15.1.5.1) as there is 3 repetitions in ur list (49199 49200 and 52392 are all mentioned twice)&nbsp;

&nbsp;
You can either use a rule + group now (which might be better if u want to recall in multiple profiles)

&nbsp;
or just paste the string in your profile (maybe you can do a "template" profile object with this setting and other basic stuff that you can refer as "parent" for creating all of your other objects)&nbsp;
&nbsp;

&nbsp;
This should be all,regardsCA

psfletchthetek · Answer

HI,&nbsp;
I've done this resently, the f5 has a great cypher config.I think its under local traffic &gt; profiles and your looking for cyphers.First you need to build a cypher rule,So once you have found the cyphers section go and hit create and make a new rule.There is a cypher string which is comma delimited you can start adding in and it starts building and confirming your policy, If you get the string wrong it will tell you straight away!This may helphttps://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-custom-cipher-ssl-negotiation-configuration-13-0-0/1.htmlSo mightOverview of BIG-IP SSL/TLS cipher suites (f5.com)
and
SSL ciphers supported on BIG-IP platforms (15.x) (f5.com)For one thing, are you expecting tls1.2 and 1.3? I'm no expert but i think the last one is TLS1.3 only.once you have a cypher rule and cypher group worked out.
You need to go to you client ssl profile, and MAKE SURE YOU CLICK ADVANCED!!!&nbsp;Look for cypher group, and tick the custom box on the right hand side.And move the radio button to cypher group, you should then see a drop down box with your cypher group in it.Then, just below that there is a tls filter type section and its on negative logic so things like "no tls1.3" or "no ssl"So you need to make sure that is also set correctly.I had a phase when the cypher rule had tls1.3 configured in it, but i hadn't removed no tls1.3 from the client ssl policy.90mins of my life i wont get back!Lastly, i fully recommend getting a workstation in front of the f5 where you can test the profiles being offered on the f5. nmap has a command that will tell you if you have it right or not. If you need that let me know.
Hope that helps, if you need some images let me know.

ca_valli · Answer

You can tune your clientSSL profile's "cipher string" parameter, if you need those suites only you could possibly specify them explicitely.&nbsp;
Check this cheat sheet out, it's still pretty valid: http://smanthey.net/downloads/ssl/ssl-cipher-cs-a4-02.pdf
run in the cli: tmm --ciphersuites "&lt;string&gt;" to see what your string matches before installing

lmediavilla · Answer

Hello:How can I specify them explicitely? Because everythin point that I need cipher suite string. That is a kind of search, I cannot find a pattern to match my needs.The pdf look great.kind regards

ca_valli · Answer

The configuration is implemented via a clientSSL profile.
Every suite you listed is uniquely identified by an ID, for example (according to this link)&nbsp;TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 has id 0xC02F (or&nbsp;49199 in decimal).&nbsp;
When you run the command in my last comment on BIGIP, look for suite ID&nbsp;49199, copy the text and paste it in cipher string to include that suite only. To build more suites, you use : (include) or :! (exclude) just like the PDF shows you.&nbsp;
&nbsp;

lmediavilla · Answer

Brilliant, this is exactly what I needed. Many thanks!

Forum Discussion

LTM Cipher rule

7 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

Cipher Rule for just for TLS1.3

Disabling Ciphers

SSL Ciphers (SSLLabs) Warning

SSL Profile Cipher

Cipher negotiated between F5 and Node