LTM Cipher rule

lmediavilla · ‎24-Jan-2023

Hello:
I've been asked to allow just some security protocols but I think there is not any manual way to just select these.
I've tried creating a cipher rule or trying to select using the cipher group.

Is this even possible?

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_AES128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256

Kind regards.

CA_Valli · ‎25-Jan-2023

So, I ran this string :

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256

This should be exactly what you need (BIG-IP 15.1.5.1) as there is 3 repetitions in ur list (49199 49200 and 52392 are all mentioned twice)

You can either use a rule + group now (which might be better if u want to recall in multiple profiles)

or just paste the string in your profile (maybe you can do a "template" profile object with this setting and other basic stuff that you can refer as "parent" for creating all of your other objects)

This should be all,
regards
CA

View solution in original post

CA_Valli · ‎24-Jan-2023

You can tune your clientSSL profile's "cipher string" parameter, if you need those suites only you could possibly specify them explicitely.

Check this cheat sheet out, it's still pretty valid: http://smanthey.net/downloads/ssl/ssl-cipher-cs-a4-02.pdf

run in the cli: tmm --ciphersuites "<string>" to see what your string matches before installing

lmediavilla · ‎24-Jan-2023

Hello:
How can I specify them explicitely? Because everythin point that I need cipher suite string. That is a kind of search, I cannot find a pattern to match my needs.

The pdf look great.

kind regards

CA_Valli · ‎25-Jan-2023

The configuration is implemented via a clientSSL profile.

Every suite you listed is uniquely identified by an ID, for example (according to this link) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 has id 0xC02F (or 49199 in decimal).

When you run the command in my last comment on BIGIP, look for suite ID 49199, copy the text and paste it in cipher string to include that suite only. To build more suites, you use : (include) or :! (exclude) just like the PDF shows you.

CA_Valli · ‎25-Jan-2023

So, I ran this string :

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256

This should be exactly what you need (BIG-IP 15.1.5.1) as there is 3 repetitions in ur list (49199 49200 and 52392 are all mentioned twice)

You can either use a rule + group now (which might be better if u want to recall in multiple profiles)

or just paste the string in your profile (maybe you can do a "template" profile object with this setting and other basic stuff that you can refer as "parent" for creating all of your other objects)

This should be all,
regards
CA

lmediavilla · ‎25-Jan-2023

Brilliant, this is exactly what I needed. Many thanks!

PSFletchTheTek · ‎24-Jan-2023

HI,

I've done this resently, the f5 has a great cypher config.
I think its under local traffic > profiles and your looking for cyphers.
First you need to build a cypher rule,
So once you have found the cyphers section go and hit create and make a new rule.
There is a cypher string which is comma delimited you can start adding in and it starts building and confirming your policy, If you get the string wrong it will tell you straight away!
This may help
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-custom-cipher-ssl-negotiati...
So might
Overview of BIG-IP SSL/TLS cipher suites (f5.com)

and

SSL ciphers supported on BIG-IP platforms (15.x) (f5.com)

For one thing, are you expecting tls1.2 and 1.3? I'm no expert but i think the last one is TLS1.3 only.
once you have a cypher rule and cypher group worked out.

You need to go to you client ssl profile, and MAKE SURE YOU CLICK ADVANCED!!!
Look for cypher group, and tick the custom box on the right hand side.
And move the radio button to cypher group, you should then see a drop down box with your cypher group in it.
Then, just below that there is a tls filter type section and its on negative logic so things like "no tls1.3" or "no ssl"
So you need to make sure that is also set correctly.
I had a phase when the cypher rule had tls1.3 configured in it, but i hadn't removed no tls1.3 from the client ssl policy.
90mins of my life i wont get back!

Lastly, i fully recommend getting a workstation in front of the f5 where you can test the profiles being offered on the f5. nmap has a command that will tell you if you have it right or not. If you need that let me know.

Hope that helps, if you need some images let me know.

Kai_Wilke · ‎28-Jan-2023

Hi lmediavilla,

you may import the config below to deploy 5 alligned sets (aka. Highly Secure, Secure, Compatible, Highly Compatible, Compatible-Insecure) of cipher rules, cipher groups and SSL profiles to your units.

The SSL profiles can then be used as parrent profiles to easily switch between the different sets. Check the results of each set with SSL-Labs to see the resulting rating and client compatibility matrix.

ltm cipher rule SSLRule_Compatible {
	cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:-SSLv3:-DTLSv1
	dh-groups DEFAULT
	signature-algorithms DEFAULT
}
ltm cipher rule SSLRule_Highly_Compatible {
	cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA:-SSLv3:-DTLSv1
	dh-groups DEFAULT
	signature-algorithms DEFAULT
}
ltm cipher rule SSLRule_Highly_Secure {
	cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
	dh-groups DEFAULT
	signature-algorithms DEFAULT
}
ltm cipher rule SSLRule_Insecure_Compatible {
	cipher ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5:-SSLv3:-DTLSv1
	dh-groups DEFAULT
	signature-algorithms DEFAULT
}
ltm cipher rule SSLRule_Secure {
	cipher TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-CBC-SHA:-TLSv1:-TLSv1_1
	dh-groups DEFAULT
	signature-algorithms DEFAULT
}
ltm cipher group SSLGroup_Compatible {
	allow {
		SSLRule_Compatible { }
	}
}
ltm cipher group SSLGroup_Highly_Compatible {
	allow {
		SSLRule_Highly_Compatible { }
	}
}
ltm cipher group SSLGroup_Highly_Secure {
	allow {
		SSLRule_Highly_Secure { }
	}
}
ltm cipher group SSLGroup_Insecure_Compatible {
	allow {
		SSLRule_Insecure_Compatible { }
	}
}
ltm cipher group SSLGroup_Secure {
	allow {
		SSLRule_Secure { }
	}
}
ltm profile client-ssl Master_ClientSSL_Profile_Compatible {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
}
ltm profile client-ssl Master_ClientSSL_Profile_Highly_Compatible {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Highly_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
}
ltm profile client-ssl Master_ClientSSL_Profile_Highly_Secure {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Highly_Secure
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
}
ltm profile client-ssl Master_ClientSSL_Profile_Insecure_Compatible {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Insecure_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
}
ltm profile client-ssl Master_ClientSSL_Profile_Secure {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Secure
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
}
ltm profile client-ssl Master_ClientSSL_Profile_Compatible_HTTP2 {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
    renegotiation disabled
}
ltm profile client-ssl Master_ClientSSL_Profile_Highly_Compatible_HTTP2 {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Highly_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
    renegotiation disabled
}
ltm profile client-ssl Master_ClientSSL_Profile_Highly_Secure_HTTP2 {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Highly_Secure
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
    renegotiation disabled
}
ltm profile client-ssl Master_ClientSSL_Profile_Insecure_Compatible_HTTP2 {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Insecure_Compatible
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
    renegotiation disabled
}
ltm profile client-ssl Master_ClientSSL_Profile_Secure_HTTP2 {
	app-service none
	cert-key-chain {
		default {
			cert default.crt
			key default.key
		}
	}
	cipher-group SSLGroup_Secure
	ciphers none
	defaults-from clientssl
	inherit-ca-certkeychain true
	inherit-certkeychain true
	options { dont-insert-empty-fragments }
    renegotiation disabled
}

Cheers, Kai

—
iRule can do… 😉

DevCentral

LTM Cipher rule

Khoros Kudos Award 2022