smp_86112
Apr 28, 2014Cirrostratus
Server SSL Profile ciphers
I'm using the following Ciphers string in a server SSL profile on my 11.4.1HF3 LTM:
DEFAULT:-TLSv1_1:-TLSv1_2
The resulting ciphers list is this:
Active:Changes Pending] ~ tmm --serverciphers 'DEFAULT:-TLSv1_1:-TLSv1_2'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 5 RC4-SHA 128 SSL3 Native RC4 SHA RSA
1: 5 RC4-SHA 128 TLS1 Native RC4 SHA RSA
2: 47 AES128-SHA 128 SSL3 Native AES SHA RSA
3: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
4: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
5: 53 AES256-SHA 256 SSL3 Native AES SHA RSA
6: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
8: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA
9: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA
10: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
12: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
13: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA
Yet when I examine the CLIENTHELLO on the serverside of the connection on the wire, I see the LTM presents a much larger list of available ciphers:
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Shouldn't the LTM only display the ciphers that are output in the
tmm --serverciphers 'DEFAULT:-TLSv1_1:-TLSv1_2'
output - a much smaller list?
Beyond this, I see that adding the @STRENGTH keyword to the Ciphers string does not change the order that the LTM presents the list of ciphers to the server. I'm wondering if I just don't understand something, or if this is bad LTM behavior.