Difference between revisions of "Secure Cipher to use in SSL profiles"

From Tech-Wiki
Jump to: navigation, search
 
Line 1: Line 1:
 
[[Category:F5 Networks]]
 
[[Category:F5 Networks]]
'''[[F5 Networks#Misc|Back to Misc]]'''
+
'''[[F5 Networks#Local Traffic Mananger|Back to Local Traffic Mananger]]'''
  
 
To list ciphers use the following command
 
To list ciphers use the following command

Latest revision as of 15:02, 21 February 2019

Back to Local Traffic Mananger

To list ciphers use the following command

# tmm --clientciphers DEFAULT:\!SSLv3

A good cipher removing SSLv3 and weak protocols is:

DEFAULT:!TLSv1_1:!TLSv1:!DTLSv1:!SHA

Another strict/stronger option can be the one below:

ECDHE_ECDSA:ECDHE:!TLSv1_1:!TLSv1:!SHA

then only the ones below are allowed:

      ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
0: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_ECDSA
1: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES      SHA384  ECDHE_ECDSA
2: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_ECDSA
3: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES      SHA256  ECDHE_ECDSA
4: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
5: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES      SHA384  ECDHE_RSA
6: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA
7: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES      SHA256  ECDHE_RSA