Forum Discussion

lmediavilla's avatar
lmediavilla
Icon for Nimbostratus rankNimbostratus
Jan 24, 2023

LTM Cipher rule

Hello: I've been asked to allow just some security protocols but I think there is not any manual way to just select these. I've tried creating a cipher rule or trying to select using the cipher gro...
security
  • CA_Valli's avatar
    CA_Valli
    Jan 25, 2023

    So, I ran this string :

     

    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256

     

     

    This should be exactly what you need (BIG-IP 15.1.5.1) as there is 3 repetitions in ur list (49199 49200 and 52392 are all mentioned twice) 

     

    You can either use a rule + group now (which might be better if u want to recall in multiple profiles)

     

    or just paste the string in your profile (maybe you can do a "template" profile object with this setting and other basic stuff that you can refer as "parent" for creating all of your other objects) 

     

     

    This should be all,
    regards
    CA

CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP

The configuration is implemented via a clientSSL profile.

Every suite you listed is uniquely identified by an ID, for example (according to this linkTLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 has id 0xC02F (or 49199 in decimal). 

When you run the command in my last comment on BIGIP, look for suite ID 49199, copy the text and paste it in cipher string to include that suite only. To build more suites, you use : (include) or :! (exclude) just like the PDF shows you. 

 

CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Jan 25, 2023

So, I ran this string :

 

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256

 

 

This should be exactly what you need (BIG-IP 15.1.5.1) as there is 3 repetitions in ur list (49199 49200 and 52392 are all mentioned twice) 

 

You can either use a rule + group now (which might be better if u want to recall in multiple profiles)

 

or just paste the string in your profile (maybe you can do a "template" profile object with this setting and other basic stuff that you can refer as "parent" for creating all of your other objects) 

 

 

This should be all,
regards
CA

  • lmediavilla's avatar
    lmediavilla
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2023

    Brilliant, this is exactly what I needed. Many thanks!