Forum Discussion

AhmedGalal219_3's avatar
AhmedGalal219_3
Icon for Nimbostratus rankNimbostratus
Jan 01, 2018

SSL Profile Cipher

Hi all i need to make sure that my SSL Client profile uses TLS1.2 without using DES Cipher . what i have done is to change the Chiper in SSL Profile from DEFAULT to TLS1_2:!DES just making sure that ...
  • nitass_89166's avatar
    Jan 01, 2018

    what i want to make sure that when i write in the cipher TLS1_2:!DES:!3DES will use only TLS1.2 protcol without DES or 3DES ciphers

    yes but i suggest you check tmm --clientciphers, so you will know what exactly cipher suites you get.

    for example, the following is output from 13.1.0.1. although, only tls 1.2 without des or 3des but it also includes rc4.

    [root@ve13a:Active:In Sync] config  tmm --clientciphers 'TLSv1_2:!DES:!3DES'
           ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
     0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
     1: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
     2: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
     3: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
     4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
     5: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
     6: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM   SHA256  ECDH_RSA
     7: 49193  ECDH-RSA-AES128-SHA256           128  TLS1.2  Native  AES       SHA256  ECDH_RSA
     8: 49166  ECDH-RSA-AES128-SHA              128  TLS1.2  Native  AES       SHA     ECDH_RSA
     9: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM   SHA384  ECDH_RSA
    10: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES       SHA384  ECDH_RSA
    11: 49167  ECDH-RSA-AES256-SHA              256  TLS1.2  Native  AES       SHA     ECDH_RSA
    12:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
    13:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
    14:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
    15:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
    16:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
    17:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
    18:    65  CAMELLIA128-SHA                  128  TLS1.2  Native  CAMELLIA  SHA     RSA
    19:   132  CAMELLIA256-SHA                  256  TLS1.2  Native  CAMELLIA  SHA     RSA
    20: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
    21: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
    22: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES       SHA256  ECDHE_ECDSA
    23: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_ECDSA
    24: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES       SHA     ECDHE_ECDSA
    25: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES       SHA384  ECDHE_ECDSA
    26: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM   SHA256  ECDH_ECDSA
    27: 49156  ECDH-ECDSA-AES128-SHA            128  TLS1.2  Native  AES       SHA     ECDH_ECDSA
    28: 49189  ECDH-ECDSA-AES128-SHA256         128  TLS1.2  Native  AES       SHA256  ECDH_ECDSA
    29: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM   SHA384  ECDH_ECDSA
    30: 49157  ECDH-ECDSA-AES256-SHA            256  TLS1.2  Native  AES       SHA     ECDH_ECDSA
    31: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES       SHA384  ECDH_ECDSA
    32:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  EDH/RSA
    33:    51  DHE-RSA-AES128-SHA               128  TLS1.2  Native  AES       SHA     EDH/RSA
    34:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  EDH/RSA
    35:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA
    36:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA
    37:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  EDH/RSA
    38:    69  DHE-RSA-CAMELLIA128-SHA          128  TLS1.2  Native  CAMELLIA  SHA     EDH/RSA
    39:   136  DHE-RSA-CAMELLIA256-SHA          256  TLS1.2  Native  CAMELLIA  SHA     EDH/RSA
    40:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM   SHA256  DHE/DSS
    41:    50  DHE-DSS-AES128-SHA               128  TLS1.2  Native  AES       SHA     DHE/DSS
    42:    64  DHE-DSS-AES128-SHA256            128  TLS1.2  Native  AES       SHA256  DHE/DSS
    43:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  DHE/DSS
    44:    56  DHE-DSS-AES256-SHA               256  TLS1.2  Native  AES       SHA     DHE/DSS
    45:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  DHE/DSS
    46:    68  DHE-DSS-CAMELLIA128-SHA          128  TLS1.2  Native  CAMELLIA  SHA     DHE/DSS
    47:   135  DHE-DSS-CAMELLIA256-SHA          256  TLS1.2  Native  CAMELLIA  SHA     DHE/DSS
    48:   166  ADH-AES128-GCM-SHA256            128  TLS1.2  Native  AES-GCM   SHA256  ADH
    49:   167  ADH-AES256-GCM-SHA384            256  TLS1.2  Native  AES-GCM   SHA384  ADH
    50:     5  RC4-SHA                          128  TLS1.2  Native  RC4       SHA     RSA
    51:     4  RC4-MD5                          128  TLS1.2  Native  RC4       MD5     RSA
    

    thats mean that it as i didnt SSL profile at all and it will accept any certificate or what.

    if i do not misremember, ignore means big-ip will not request client certificate from client (server certificate is already presented to client).