Applies To:

Show Versions Show Versions

sol13171: Configuring the cipher strength for SSL profiles (11.x)
How-ToHow-To

Original Publication Date: 11/17/2011
Updated Date: 04/21/2014

This article applies to BIG-IP 11.x. For information about other versions, refer to the following article:

Purpose

You should consider using this procedure under the following condition:

  • You want to configure a custom cipher list for a client or server Secure Socket Layer (SSL) profile.

Prerequisites

You must meet the following prerequisite to use this procedure:

  • You have access to the BIG-IP Configuration utility or command line.

Description

BIG-IP SSL Stacks

The BIG-IP SSL profiles can use ciphers from two different SSL stacks; the NATIVE stack is built into the Traffic Management Microkernel (TMM), and the COMPAT stack, is based on the OpenSSL library. The NATIVE stack is an optimized SSL stack which can be used by the BIG-IP system to leverage hardware acceleration. F5 recommends using the NATIVE stack because it is suitable for most SSL connections.

In BIG-IP 11.x, the SSL profiles only use ciphers from the NATIVE SSL stack. To use SSL ciphers from the COMPAT stack, you must manually configure the cipher string for the profile to COMPAT.

Note: For a complete list of supported SSL ciphers from the NATIVE and COMPAT SSL stacks, refer to SOL13163: SSL ciphers supported on BIG-IP platforms (11.x). 

Default cipher list for SSL profiles

When you configure an SSL profile on the BIG-IP system, you can manually specify the ciphers available for SSL connections, or you can use the default cipher string, DEFAULT. The default cipher string only uses SSL ciphers from the NATIVE SSL stack. The DEFAULT cipher string for the SSL profiles is as follows:

11.5.0 through 11.5.1

!SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4

This cipher string is defined as follows:

Parameter Definition
!SSLv2
Do not use SSLv2 protocol
!SSLv3
Do not use SSLv3 protocol
!MD5 Do not use MD5 ciphers
!EXPORT Do not use EXPORT grade (weak) ciphers
RSA+AES Use RSA+AES ciphers
RSA+3DES Use RSA+3DES ciphers
RSA+RC4 Use RSA+RC4 ciphers
ECDHE+AES Use ECDHE+AES ciphers
ECDHE+3DES Use ECDHE+3DES ciphers
ECDHE+RC4 Use ECDHE+RC4 ciphers

11.2.1 through 11.4.1

NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:@SPEED

This cipher string is defined as follows:

Parameter Definition
NATIVE Use the optimized SSL stack that leverages hardware acceleration
!MD5 Do not use MD5 ciphers
!EXPORT Do not use EXPORT grade (weak) ciphers
!DES Do not use DES ciphers
!DHE Do not use DHE ciphers
!EDH Do not use EDH ciphers
@SPEED Order the cipher preference by speed

11.0.0 through 11.2.0

NATIVE:!MD5:!EXPORT:!DES:@SPEED

This cipher string is defined as follows:

Parameter Definition
NATIVE Use the optimized SSL stack that leverages hardware acceleration
!MD5 Do not use MD5 ciphers
!EXPORT Do not use EXPORT grade (weak) ciphers
!DES Do not use DES ciphers
@SPEED Order the cipher preference by speed

F5 recommends using the DEFAULT cipher string for client and server SSL profiles. However, you can configure an SSL profile to use a custom cipher suite. By applying different profiles to different virtual servers, you can make client SSL virtual servers more or less permissive than others. For example, you can use this approach to allow only strong ciphers, thereby enforcing the PCI requirement for strong cryptography and eliminating Weak Supported SSL Ciphers Suite violations.

Procedures

Configuring the SSL profile to include all the DSA ECC ciphers
Configuring the SSL profile to use only TLSv1.2 compatible ciphers
Configuring the SSL profile to block a specific SSL cipher
Configuring the SSL profile to order SSL ciphers by strength
Configuring the SSL profile to block a specific SSL version
Configuring the SSL profile to use specific ciphers from the COMPAT SSL stack
Configuring the SSL profile to use ciphers from the NATIVE and COMPAT SSL stacks

Configuring the SSL profile to include all the DSA ECC ciphers

Beginning in BIG-IP 11.5.0, the DSA ECC ciphers are not enabled in the DEFAULT client ciphers. To configure the SSL profile to include all the DSA ECC ciphers, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the BIG-IP Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile menu.
  8. Choose Advanced from the Configuration menu.
  9. Click the Custom box for Ciphers.
  10. Type the cipher string in the Ciphers box.

    For example, append the following string :ECDHE:ECDHE_ECDSA:DHE_DSS after DEFAULT, to include all DSA ECC ciphers:

    DEFAULT:ECDHE:ECDHE_ECDSA:DHE_DSS

    Note: Alternatively, to configure an SSL profile to include all DSA ECC ciphers using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers DEFAULT:ECDHE:ECDHE_ECDSA:DHE_DSS

Configuring the SSL profile to use only TLSv1.2 compatible ciphers

Impact of procedure: Configuring the profile to use only TLSv1.2 causes connection failure for clients that do not support TLS1.2.

  1. Log in to the BIG-IP Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile menu.
  8. Choose Advanced from the Configuration menu.
  9. Click the Custom box for Ciphers.
  10. Type the cipher string in the Ciphers box.

    For example, the following string configures an SSL profile to use only TLSv1.2 compatible ciphers:

    TLSv1_2

    Note: Alternatively, to configure an SSL profile to use only TLSv1.2 compatible ciphers using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers TLSv1_2

Configuring the SSL profile to block a specific SSL cipher

Impact of procedure: Configuring the profile to block a specific SSL cipher may cause certain client connections to fail.

  1. Log in to the BIG-IP Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile menu.
  8. Choose Advanced from the Configuration menu.
  9. Click the Custom box for Ciphers.
  10. Type the cipher string in the Ciphers box.

    For example, the following string allows the default ciphers for the SSL profile and blocks the AES128-SHA cipher:

    DEFAULT:!AES128-SHA

    Note: Alternatively, to create an SSL profile to block the AES128-SHA cipher using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers DEFAULT:!AES128-SHA

Configuring the SSL profile to order SSL ciphers by strength

Impact of procedure: Ordering SSL ciphers by strength may cause the virtual server to process fewer SSL transactions per second (TPS).

  1. Log in to the BIG-IP Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile menu.
  8. Choose Advanced from the Configuration menu.
  9. Click the Custom box for Ciphers.
  10. Type the cipher string in the Ciphers box.

    For example, the following string sorts the cipher list in order of encryption algorithm key length:

    DEFAULT:@STRENGTH

    Note: Alternatively, to create an SSL profile to order SSL ciphers by strength using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers DEFAULT:@STRENGTH

Configuring the SSL profile to block a specific SSL version

Note: Beginning in BIG-IP 11.5.0, the SSLv3 protocol is disabled in the DEFAULT SSL ciphers. For information, refer to SOL15022: Change in Behavior: The SSLv3 protocol is disabled in the DEFAULT SSL ciphers.

Impact of procedure: Configuring the profile to block a specific SSL version may cause certain client connections to fail.

  1. Log in to the BIG-IP Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile menu.
  8. Choose Advanced from the Configuration menu.
  9. Click the Custom box for Ciphers.
  10. Type the cipher string in the Ciphers box.

    For example, the following string allows the default ciphers for the SSL profile and block SSLv3:

    DEFAULT:!SSLv3

    Note: Alternatively, to create an SSL profile to block SSLv3 using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers DEFAULT:!SSLv3

Configuring the SSL profile to use specific ciphers from the COMPAT SSL stack

Impact of procedure: Configuring the profile to use ciphers from the COMPAT SSL stack may result in less than optimal SSL performance for the virtual server.

  1. Log in to the BIG-IP Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile menu.
  8. Choose Advanced from the Configuration menu.
  9. Click the Custom box for Ciphers.
  10. Type the cipher string in the Ciphers box.

    For example, the following string allows DHE ciphers for the profile:

    COMPAT+DHE

    Note: Alternatively, to create an SSL profile that allows DHE ciphers using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers COMPAT+DHE

Configuring the SSL profile to use ciphers from the NATIVE and COMPAT SSL stacks

Impact of procedure: Configuring the profile to use ciphers from the NATIVE and COMPAT SSL stacks may result in low-encryption SSL connections.

  1. Log in to the BIG-IP Configuration utility.
  2. Click Local Traffic.
  3. Click Profiles.
  4. Choose Client from the SSL menu.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. Choose clientssl from the Parent Profile menu.
  8. Choose Advanced from the Configuration menu.
  9. Click the Custom box for Ciphers.
  10. Type the cipher string in the Ciphers box.

    For example, the following string allows ciphers from the NATIVE and COMPAT SSL stacks:

    COMPAT:NATIVE

    Note: Alternatively, to create an SSL profile that allows ciphers from the NATIVE and COMPAT SSL stacks using the tmsh utility, use the following syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers COMPAT:NATIVE

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)