Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Only show 256 bits ciphers - parent client-ssl profile

Julio_Navarro
Cirrostratus
Cirrostratus

‎22-Oct-2021 08:40

Hello, I have the cipher suite configured in my parent client-ssl profile:

!ECDH_RSA:!ECDH_ECDSA:!SHA:-AES:AES:ECDHE:ECDHE_ECDSA:DHE:DHE_DSS:!RSA

 

How can I only provide ONLY 256 bits ciphers and remove all 128?

 

Do I need to name them or is there a way to commit them in the string?

 

Thank you

 

Julio

Labels:
2 REPLIES 2

CA_Valli
MVP
MVP

‎17-Nov-2021 05:58

Hello Julio,

first things first, I would recommend not to edit default SSL profiles: instead, create a new one and inherit settings from defaults.

 

You can filter ciphers by strength with keywords LOW (64 bit bulk crypto algorithm) , MEDIUM (128-bit) and HIGH ( [ 168 bit/192 bit -- deprecated] and 256-bit ).

 

So your default string should be HIGH , and then exclude unwanted suites.

 

You can test output with command tmm --clientciphers <string> , ex. tmm --clientciphers "HIGH" or tmm --clientciphers "HIGH:!ECDH_RSA:!ECDH_ECDSA:!SHA:!RSA"

Fallout1984
Cirrocumulus
Cirrocumulus
In response to CA_Valli

‎18-Nov-2021 07:50

That's good info. With "@STRENGTH" one can have the cipher negotiation start with the strongest cipher and progress to the weakest (example: DEFAULT:!3DES:!DHE:!RC4:!RSA:@STRENGTH)

 

This is just for anyone who may have a need for it. 😀

Copyright © 2023 Khoros, LLC