Forum Discussion

swo0sh_gt_13163's avatar
swo0sh_gt_13163
Icon for Altostratus rankAltostratus
Jul 08, 2014

Custom cihper suite for ClientSSL Profile

Hello Folks,

I want to use a custom set of ciphers in my ClientSSL Profile. I have gone through the document of F5, how can disallow ciphers by putting

!

However I have a requirement that I need to use only 2 cipher suites such as

AES128-SHA256 & AES256-SHA256
and rest should be deny. How can I deny remaining cipher suites by allowing only the required one?

Any help is appreciated.

Cheers! Darshan

  • e.g.

    [root@ve11a:Active:In Sync] tmp  tmm --clientcipher aes128-sha256:aes256-sha256:@strength
           ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
     0:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
     1:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA
    
  • or from GUI

    Local Traffic  ››  Profiles >> SSL >> Client >> Profile_Name (advance mode)>> Ciphers
    aes256-sha256:aes128-sha256
    

    system will promt ciphers in order to input string at first aes256 then aes128

  • Emad's avatar
    Emad
    Icon for Cirrostratus rankCirrostratus

    If implemented, LTM will only Do SSL handshake with these ciphers,

     

  • Thank you all! It worked exactly as expected.

     

    For internal test, I have used wireshark and verified the server side cipher suite.

     

    For external test, as suggested above, sslabs is always helpful.

     

    Thank you again,