Forum Discussion
LTM Cipher rule
- Jan 25, 2023
So, I ran this string :
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256
This should be exactly what you need (BIG-IP 15.1.5.1) as there is 3 repetitions in ur list (49199 49200 and 52392 are all mentioned twice)
You can either use a rule + group now (which might be better if u want to recall in multiple profiles)
or just paste the string in your profile (maybe you can do a "template" profile object with this setting and other basic stuff that you can refer as "parent" for creating all of your other objects)
This should be all,
regards
CA
HI,
I've done this resently, the f5 has a great cypher config.
I think its under local traffic > profiles and your looking for cyphers.
First you need to build a cypher rule,
So once you have found the cyphers section go and hit create and make a new rule.
There is a cypher string which is comma delimited you can start adding in and it starts building and confirming your policy, If you get the string wrong it will tell you straight away!
This may help
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-custom-cipher-ssl-negotiation-configuration-13-0-0/1.html
So might
Overview of BIG-IP SSL/TLS cipher suites (f5.com)
and
SSL ciphers supported on BIG-IP platforms (15.x) (f5.com)
For one thing, are you expecting tls1.2 and 1.3? I'm no expert but i think the last one is TLS1.3 only.
once you have a cypher rule and cypher group worked out.
You need to go to you client ssl profile, and MAKE SURE YOU CLICK ADVANCED!!!
Look for cypher group, and tick the custom box on the right hand side.
And move the radio button to cypher group, you should then see a drop down box with your cypher group in it.
Then, just below that there is a tls filter type section and its on negative logic so things like "no tls1.3" or "no ssl"
So you need to make sure that is also set correctly.
I had a phase when the cypher rule had tls1.3 configured in it, but i hadn't removed no tls1.3 from the client ssl policy.
90mins of my life i wont get back!
Lastly, i fully recommend getting a workstation in front of the f5 where you can test the profiles being offered on the f5. nmap has a command that will tell you if you have it right or not. If you need that let me know.
Hope that helps, if you need some images let me know.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com