AskF5 Knowledge Base

Applies To:

Show Versions Show Versions
sol13171: Configuring the cipher strength for SSL profiles (11.x)
How-ToHow-To

Original Publication Date: 11/17/2011
Updated Date: 02/27/2013

This article applies to BIG-IP 11.x. For information about other versions, refer to the following article:

Purpose

You should consider using this procedure under the following condition:

  • You want to configure a custom cipher list for a client or server SSL profile

Prerequisites

You must meet the following prerequisite to use this procedure:

  • You must have access to the BIG-IP Configuration utility or command line

Description

BIG-IP SSL Stacks

The BIG-IP SSL profiles have the ability to use ciphers from two different SSL stacks; the NATIVE stack is built into TMM, and the COMPAT stack, is based on the OpenSSL library. The NATIVE stack is an optimized SSL stack which can be used by the BIG-IP system to leverage hardware acceleration. F5 recommends using the NATIVE stack as it is suitable for most SSL connections.

In BIG-IP version 11.x, the SSL profiles only use ciphers from the NATIVE SSL stack. To use SSL ciphers from the COMPAT stack, you must manually configure the cipher string for the profile to COMPAT.

Default cipher list for SSL profiles

When configuring an SSL profile on the BIG-IP system, you can manually specify the ciphers available for SSL connections, or you can use the default cipher string, DEFAULT. The default cipher string only uses SSL ciphers from the NATIVE SSL stack. The DEFAULT cipher string for the SSL profiles is as follows:

11.2.1 through 11.3.0

NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:@SPEED

This cipher string is defined as follows:

Parameter Definition
NATIVE Use the optimized SSL stack that leverages hardware acceleration
!MD5 Do not use MD5 ciphers
!EXPORT Do not use EXPORT grade (weak) ciphers
!DES Do not use DES ciphers
!DHE Do not use DHE ciphers
!EDH Do not use EDH ciphers
@SPEED Order the cipher preference by speed

11.0.0 through 11.2.0

NATIVE:!MD5:!EXPORT:!DES:@SPEED

This cipher string is defined as follows:

Parameter Definition
NATIVE Use the optimized SSL stack that leverages hardware acceleration
!MD5 Do not use MD5 ciphers
!EXPORT Do not use EXPORT grade (weak) ciphers
!DES Do not use DES ciphers
@SPEED Order the cipher preference by speed

F5 recommends using the DEFAULT cipher string for client and server SSL profiles. However, you can configure an SSL profile to use a custom cipher suite. By applying different profiles to different virtual servers, you can make client SSL virtual servers more or less permissive than others. For example, you can use this approach to allow only strong ciphers, thereby enforcing the PCI requirement for strong cryptography and eliminating Weak Supported SSL Ciphers Suite violations.

Procedures

Configuring the SSL profile to use only TLSv1.2 compatible ciphers
Configuring the SSL profile to block a specific SSL cipher
Configuring the SSL profile to order SSL ciphers by strength
Configuring the SSL profile to block a specific SSL version
Configuring the SSL profile to use specific ciphers from the COMPAT SSL stack
Configuring the SSL profile to use ciphers from the NATIVE and COMPAT SSL stacks

Configuring the SSL profile to use only TLSv1.2 compatible ciphers

To configure an SSL profile to use only TLSv1.2 compatible ciphers using the Configuration utility, perform the following procedure:

Impact of procedure: Configuring the profile to use only TLSv1.2 will cause connection failure for clients that do not support TLS1.2.

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL drop-down menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile drop-down menu.
  8. Choose Advanced from the Configuration drop-down menu.
  9. Click the Custom box for Ciphers.
  10. Enter the cipher string in the Ciphers box.

    For example, the following string would configure an SSL profile to use only TLSv1.2 compatible ciphers:

    TLSv1_2

    Note: Alternatively, to configure an SSL profile to use only TLSv1.2 compatible ciphers using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers TLSv1_2

Configuring the SSL profile to block a specific SSL cipher

To configure an SSL profile to block a specific cipher using the Configuration utility, perform the following procedure:

Impact of procedure: Configuring the profile to block a specific SSL cipher may cause certain client connections to fail.

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL drop-down menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile drop-down menu.
  8. Choose Advanced from the Configuration drop-down menu.
  9. Click the Custom box for Ciphers.
  10. Enter the cipher string in the Ciphers box.

    For example, the following string would allow the default ciphers for the SSL profile and block the AES128-SHA cipher:

    DEFAULT:!AES128-SHA

    Note: Alternatively, to create an SSL profile to block the AES128-SHA cipher using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers DEFAULT:!AES128-SHA

Configuring the SSL profile to order SSL ciphers by strength

To configure the SSL profile to order SSL ciphers by strength, perform the following procedure:

Impact of procedure: Ordering SSL ciphers by strength may cause the virtual server to process fewer SSL transactions per second (TPS).

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL drop-down menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile drop-down menu.
  8. Choose Advanced from the Configuration drop-down menu.
  9. Click the Custom box for Ciphers.
  10. Enter the cipher string in the Ciphers box.

    For example, the following string would sort the cipher list in order of encryption algorithm key length:

    DEFAULT:@STRENGTH

    Note: Alternatively, to create an SSL profile to order SSL ciphers by strength using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers DEFAULT:@STRENGTH

Configuring the SSL profile to block a specific SSL version

To configure the SSL profile to block a specific SSL version, perform the following procedure:

Impact of procedure: Configuring the profile to block a specific SSL version may cause certain client connections to fail.

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL drop-down menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile drop-down menu.
  8. Choose Advanced from the Configuration drop-down menu.
  9. Click the Custom box for Ciphers.
  10. Enter the cipher string in the Ciphers box.

    For example, the following string would allow the default ciphers for the SSL profile and block SSLv3:

    DEFAULT:!SSLv3

    Note: Alternatively, to create an SSL profile to block SSLv3 using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers DEFAULT:!SSLv3

Configuring the SSL profile to use specific ciphers from the COMPAT SSL stack

To configure the SSL profile to use specific ciphers from the COMPAT stack, perform the following procedure:

Impact of procedure: Configuring the profile to use ciphers from the COMPAT SSL stack may result suboptimal SSL performance for the virtual server.

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL drop-down menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile drop-down menu.
  8. Choose Advanced from the Configuration drop-down menu.
  9. Click the Custom box for Ciphers.
  10. Enter the cipher string in the Ciphers box.

    For example, the following string would allow DHE ciphers for the profile:

    COMPAT+DHE

    Note: Alternatively, to create an SSL profile that allows DHE ciphers using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers COMPAT+DHE

Configuring the SSL profile to use ciphers from the NATIVE and COMPAT SSL stacks

To configure the SSL profile to use ciphers from the NATIVE and COMPAT SSL stacks, perform the following procedure:

Impact of procedure: Configuring the profile to use ciphers from the NATIVE and COMPAT SSL stacks may result in low-encryption SSL connections.

  1. Log in to the Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL drop-down menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile drop-down menu.
  8. Choose Advanced from the Configuration drop-down menu.
  9. Click the Custom box for Ciphers.
  10. Enter the cipher string in the Ciphers box.

    For example, the following string would allow ciphers from the NATIVE and COMPAT SSL stacks:

    COMPAT:NATIVE

    Note: Alternatively, to create an SSL profile that allows ciphers from the NATIVE and COMPAT SSL stacks using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers COMPAT:NATIVE

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)