Forum Discussion

lmediavilla's avatar
lmediavilla
Icon for Nimbostratus rankNimbostratus
Jan 24, 2023

LTM Cipher rule

Hello: I've been asked to allow just some security protocols but I think there is not any manual way to just select these. I've tried creating a cipher rule or trying to select using the cipher gro...
security
  • CA_Valli's avatar
    CA_Valli
    Jan 25, 2023

    So, I ran this string :

     

    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256

     

     

    This should be exactly what you need (BIG-IP 15.1.5.1) as there is 3 repetitions in ur list (49199 49200 and 52392 are all mentioned twice) 

     

    You can either use a rule + group now (which might be better if u want to recall in multiple profiles)

     

    or just paste the string in your profile (maybe you can do a "template" profile object with this setting and other basic stuff that you can refer as "parent" for creating all of your other objects) 

     

     

    This should be all,
    regards
    CA

PSFletchTheTek's avatar
PSFletchTheTek
Icon for MVP rankMVP
Jan 24, 2023

HI, 

I've done this resently, the f5 has a great cypher config.
I think its under local traffic > profiles and your looking for cyphers.
First you need to build a cypher rule,
So once you have found the cyphers section go and hit create and make a new rule.
There is a cypher string which is comma delimited you can start adding in and it starts building and confirming your policy, If you get the string wrong it will tell you straight away!
This may help
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-custom-cipher-ssl-negotiation-configuration-13-0-0/1.html
So might
Overview of BIG-IP SSL/TLS cipher suites (f5.com)

and

SSL ciphers supported on BIG-IP platforms (15.x) (f5.com)

For one thing, are you expecting tls1.2 and 1.3? I'm no expert but i think the last one is TLS1.3 only.
once you have a cypher rule and cypher group worked out.

You need to go to you client ssl profile, and MAKE SURE YOU CLICK ADVANCED!!! 
Look for cypher group, and tick the custom box on the right hand side.
And move the radio button to cypher group, you should then see a drop down box with your cypher group in it.
Then, just below that there is a tls filter type section and its on negative logic so things like "no tls1.3" or "no ssl"
So you need to make sure that is also set correctly.
I had a phase when the cypher rule had tls1.3 configured in it, but i hadn't removed no tls1.3 from the client ssl policy.
90mins of my life i wont get back!

Lastly, i fully recommend getting a workstation in front of the f5 where you can test the profiles being offered on the f5. nmap has a command that will tell you if you have it right or not. If you need that let me know.

Hope that helps, if you need some images let me know.