Forum Discussion

ottleydamian's avatar
Jun 20, 2017

F5 ciphersuite syntax

Help me understand F5 ciphersuite syntax please: https://support.f5.com/csp/article/K13400

 

In the client-ssl ciphers syntax the article states that if you want to support TLS1.0 and SSL3.0 do the following:

 

tmsh create /ltm profile client-ssl ciphers DEFAULT:-SSLv3:-TLSv1:RC4-SHA

 

 

If you don't want to allow SSLv3 do the following:

 

tmsh create /ltm profile client-ssl ciphers DEFAULT:!SSLv3:-TLSv1:RC4-SHA

 

 

that would make sense because the exclamation mark (!) negates that protocol.

 

In the same article to disable all protocols except TLS1.2 for management access the syntax is as follows:

 

modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'

 

Logic seems to suggest that this syntax is allowing protocols from SSLv3 and above. Meaning allow 'ALL' except those with the '!' and then explicitly allowing TLSv1 and SSLv3 (and above).

 

Since the article says I'm wrong how an I supposed to read this??? Confused!!!

 

  • When in doubt, try using and play with the cipher suite definition:

    tmm --clientciphers 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:TLSv1:SSLv3:RC4-SHA'

  • Despite what TMM showed in its output about I believe now that the syntax in the F5 article is CORRECT. I tested with the following commands:

     

    openssl s_client -connect [IP ADDRESS]:443 -ssl3

     

    openssl s_client -connect [IP ADDRESS]:443 -tls1

     

    openssl s_client -connect [IP ADDRESS]:443 -tls1_1

     

    openssl s_client -connect [IP ADDRESS]:443 -tls1_2

     

    In the first 3 there was no negotiation but the last one accepted TLSv1.2. Note:I also noticed the syntax difference which might explain the difference in syntax for OpenSSL and TMM for TLSv1.2.

     

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account

    Greetings,

     

    I parsed through the responses and don't see that anyone's mentioned this yet, apologies if this has already been mentioned:

     

    Note: When you use the ! symbol preceding a cipher, the SSL profile permanently removes the cipher from the cipher list, even if it is explicitly stated later in the cipher string. When you use the - symbol preceding a cipher, the SSL profile removes the cipher from the cipher list, but it can be added back to the cipher list if there are later options that allow it. For more information about building and viewing custom cipher lists, refer to K15194: Overview of the BIG-IP SSL/TLS cipher suite.

     

    https://support.f5.com/csp/article/K13171

     

    Hope this is helpful, thank you!

     

    Kevin

     

    • ottleydamian's avatar
      ottleydamian
      Icon for Cirrus rankCirrus

      Thanks Kevin,

       

      Actually the ! symbol was the syntax that I did understand. What was tripping me up before was if I only wanted TLSv1.2 ie. no sslv3, no tlsv1.0 and no tlsv1.1 why did the syntax in the F5 article have "-TLSv1:-SSLv3". I was expecting "!TLSv1:!SSLv3" etc.

       

      But though I can't fully understand all the intricacies of why it works, I at least am confident that it does work.

       

    • Kevin_K_51432's avatar
      Kevin_K_51432
      Historic F5 Account

      I think the only difference would be flexibility. Allow customers to add specific ciphers back in if they deem them necessary. For example, tlsv1 would work for DHE-RSA-DES-CBC3-SHA (if you needed that):

      -TLSv1:-SSLv3:DHE-RSA-DES-CBC3-SHA
      

      tlsv1 would not work for DHE-RSA-DES-CBC3-SHA (if you needed it):

      !TLSv1:!SSLv3:DHE-RSA-DES-CBC3-SHA
      
    • ottleydamian's avatar
      ottleydamian
      Icon for Cirrus rankCirrus

      Thanks,

       

      The missed question/answer in all this was how does the following syntax ONLY allow TLSv1.2:

       

      'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:!SSLv2:-TLSv1:-SSLv3:RC4-SHA'

       

      Or put another way, when you read that syntax, what specifically prevents ciphers that use TLSv1.1 or TLS1.0 or even SSLv3 from being used?