Difference between revisions of "Secure Cipher to use in SSL profiles"
From Tech-Wiki
(Created page with "Category:F5 Networks '''Back to Misc''' To list ciphers use the following command # tmm --clientciphers DEFAULT:\!SSLv3 A good cipher removing SSLv...") |
|||
Line 13: | Line 13: | ||
ECDHE_ECDSA:ECDHE:!TLSv1_1:!TLSv1:!SHA | ECDHE_ECDSA:ECDHE:!TLSv1_1:!TLSv1:!SHA | ||
− | + | then only the ones below are allowed: | |
ID SUITE BITS PROT METHOD CIPHER MAC KEYX | ID SUITE BITS PROT METHOD CIPHER MAC KEYX |
Revision as of 15:00, 21 February 2019
To list ciphers use the following command
# tmm --clientciphers DEFAULT:\!SSLv3
A good cipher removing SSLv3 and weak protocols is:
DEFAULT:!TLSv1_1:!TLSv1:!DTLSv1:!SHA
Another strict/stronger option can be the one below:
ECDHE_ECDSA:ECDHE:!TLSv1_1:!TLSv1:!SHA
then only the ones below are allowed:
ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_ECDSA 1: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_ECDSA 2: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA 3: 49187 ECDHE-ECDSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_ECDSA 4: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 5: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 6: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 7: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA