Applies To:

Show Versions Show Versions

sol13171: Configuring the cipher strength for SSL profiles (11.x)
How-ToHow-To

Original Publication Date: 11/17/2011
Updated Date: 09/26/2014

This article applies to BIG-IP 11.x. For information about other versions, refer to the following article:

Purpose

You should consider using this procedure under the following condition:

  • You want to configure a custom cipher list for a Client or Server SSL profile.

Prerequisites

You must meet the following prerequisite to use this procedure:

  • You have access to the BIG-IP Configuration utility or command line.

Description

BIG-IP SSL stacks

BIG-IP Secure Socket Layer (SSL) profiles can use ciphers from two different SSL stacks; the NATIVE stack is built into the Traffic Management Microkernel (TMM), and the COMPAT stack, is based on the OpenSSL library. The NATIVE stack is an optimized SSL stack which can be used by the BIG-IP system to leverage hardware acceleration. F5 recommends using the NATIVE stack because it is suitable for most SSL connections.

In BIG-IP 11.x, the SSL profiles only use ciphers from the NATIVE SSL stack. To use SSL ciphers from the COMPAT stack, you must manually configure the cipher string for the profile to COMPAT.

Note: For a complete list of supported SSL ciphers from the NATIVE and COMPAT SSL stacks, refer to SOL13163: SSL ciphers supported on BIG-IP platforms (11.x). 

Default cipher list for SSL profiles

When you configure an SSL profile on the BIG-IP system, you can manually specify the ciphers available for SSL connections, or you can use the default cipher string, DEFAULT. The default cipher string only uses SSL ciphers from the NATIVE SSL stack. The DEFAULT cipher string for the SSL profiles is as follows:

BIG-IP 11.6.0

!LOW:!SSLv3:!MD5:!RC4-SHA:!EXPORT:DHE+AES-GCM:DHE+AES:DHE+3DES:AES-GCM+RSA:RSA+AES:RSA+3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE-RSA-DES-CBC3-SHA

This cipher string is defined as follows:

Parameter Definition
!LOW
Do not use 64 bit ciphers
!SSLv3
Do not use SSLv3 protocol
!MD5 Do not use MD5 ciphers
!RC4-SHA Do not use RC4 cipher with SHA
!EXPORT Do not use EXPORT grade (weak) ciphers
DHE+AES Use DHE+AES ciphers
DHE+3DES Use DHE+3DES ciphers
AES-GCM+RSA Use AES-GCM+RSA ciphers
RSA+AES Use RSA+AES ciphers
RSA+3DES Use RSA+3DES ciphers
RSA+RC4 Use RSA+RC4 ciphers
ECDHE+AES-GCM Use ECDHE+AES-GCM ciphers
ECDHE+AES Use ECDHE+AES ciphers
ECDHE-RSA-DES-CBC3-SHA Use ECDHE-RSA-DES-CBC3-SHA ciphers

BIG-IP 11.5.0 through 11.5.1

!SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4

This cipher string is defined as follows:

Parameter Definition
!SSLv2
Do not use SSLv2 protocol
!SSLv3
Do not use SSLv3 protocol
!MD5 Do not use MD5 ciphers
!EXPORT Do not use EXPORT grade (weak) ciphers
RSA+AES Use RSA+AES ciphers
RSA+3DES Use RSA+3DES ciphers
RSA+RC4 Use RSA+RC4 ciphers
ECDHE+AES Use ECDHE+AES ciphers
ECDHE+3DES Use ECDHE+3DES ciphers
ECDHE+RC4 Use ECDHE+RC4 ciphers

BIG-IP 11.2.1 through 11.4.1

NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:@SPEED

This cipher string is defined as follows:

Parameter Definition
NATIVE Use the optimized SSL stack that leverages hardware acceleration
!MD5 Do not use MD5 ciphers
!EXPORT Do not use EXPORT grade (weak) ciphers
!DES Do not use DES ciphers
!DHE Do not use DHE ciphers
!EDH Do not use EDH ciphers
@SPEED Order the cipher preference by speed

BIG-IP 11.0.0 through 11.2.0

NATIVE:!MD5:!EXPORT:!DES:@SPEED

This cipher string is defined as follows:

Parameter Definition
NATIVE Use the optimized SSL stack that leverages hardware acceleration
!MD5 Do not use MD5 ciphers
!EXPORT Do not use EXPORT grade (weak) ciphers
!DES Do not use DES ciphers
@SPEED Order the cipher preference by speed

F5 recommends using the DEFAULT cipher string for Client and Server SSL profiles. However, you can configure an SSL profile to use a custom cipher suite. By applying different profiles to different virtual servers, you can make Client SSL virtual servers more or less permissive than others. For example, you can use this approach to allow only strong ciphers, thereby enforcing the PCI requirement for strong cryptography and eliminating Weak Supported SSL Ciphers Suite violations.

Procedures

Configuring the SSL profile to include a specific SSL cipher
Configuring the SSL profile to use only TLSv1.2 compatible ciphers
Configuring the SSL profile to block a specific SSL cipher
Configuring the SSL profile to order SSL ciphers by strength
Configuring the SSL profile to block a specific SSL version
Configuring the SSL profile to use specific ciphers from the COMPAT SSL stack
Configuring the SSL profile to use ciphers from the NATIVE and COMPAT SSL stacks

Configuring the SSL profile to include a specific SSL cipher

Before you add a cipher to an SSL profile, you should verify that the desired cipher is not already included in the DEFAULT cipher list for your BIG-IP system version.

Note: For information about SSL ciphers used in the default SSL profiles, refer to SOL13156: SSL ciphers used in the default SSL profiles (11.x).

After you verify that the desired cipher is not already included in the DEFAULT cipher list, you can add the cipher to the SSL profile. To do so, perform the following steps:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility.
  2. Navigate to Local Traffic > Profiles.
  3. From the SSL menu, select Client.
  4. Click Create.
  5. Type a name for the SSL profile.
  6. From the Parent Profile menu, select clientssl.
  7. From the Configuration menu, select Advanced.
  8. For Ciphers, click the Custom box.
  9. In the Ciphers box, type the cipher string.

    For example,  appending the :ECDHE:ECDHE_ECDSA:DHE_DSS string after DEFAULT: to include all DSA ECC ciphers appears similar to the following:

    DEFAULT:ECDHE:ECDHE_ECDSA:DHE_DSS

    Note: Alternatively, to configure an SSL profile to include all DSA ECC ciphers using the tmsh utility, use the following command syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers DEFAULT:ECDHE:ECDHE_ECDSA:DHE_
  10. Complete the remaining profile settings.
  11. Click Finished.

Configuring the SSL profile to use only TLSv1.2 compatible ciphers

Impact of procedure: Configuring the profile to use only TLSv1.2 causes connection failure for clients that do not support TLS1.2.

  1. Log in to the Configuration utility.
  2. Navigate to Local Traffic > Profiles.
  3. From the SSL menu, select Client.
  4. Click Create.
  5. Type a name for the SSL profile.
  6. From the Parent Profile menu, select clientssl.
  7. From the Configuration menu, select Advanced.
  8. For Ciphers, click the Custom box.
  9. In the Ciphers box, type the cipher string.

    For example, the following string configures an SSL profile to use only TLSv1.2 compatible ciphers:

    TLSv1_2

    Note: Alternatively, to configure an SSL profile to use only TLSv1.2 compatible ciphers using the tmsh utility, use the following command syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers TLSv1_2

Configuring the SSL profile to block a specific SSL cipher

Impact of procedure: Configuring the profile to block a specific SSL cipher may cause certain client connections to fail.

  1. Log in to the Configuration utility.
  2. Navigate to Local Traffic > Profiles.
  3. From the SSL menu, select Client.
  4. Click Create.
  5. Type a name for the SSL profile.
  6. From the Parent Profile menu, select clientssl.
  7. From the Configuration menu, select Advanced.
  8. For Ciphers, click the Custom box.
  9. In the Ciphers box, type the cipher string.

    For example, the following string allows the default ciphers for the SSL profile and blocks the AES128-SHA cipher:

    DEFAULT:!AES128-SHA

    Note: Alternatively, to create an SSL profile to block the AES128-SHA cipher using the tmsh utility, use the following command syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers DEFAULT:!AES128-SHA

Configuring the SSL profile to order SSL ciphers by strength

Impact of procedure: Ordering SSL ciphers by strength may cause the virtual server to process fewer SSL transactions per second (TPS).

  1. Log in to the Configuration utility.
  2. Navigate to Local Traffic > Profiles.
  3. From the SSL menu, select Client.
  4. Click Create.
  5. Type a name for the SSL profile.
  6. From the Parent Profile menu, select clientssl.
  7. From the Configuration menu, select Advanced.
  8. For Ciphers, click the Custom box.
  9. In the Ciphers box, type the cipher string.

    For example, the following string sorts the cipher list in order of encryption algorithm key length:

    DEFAULT:@STRENGTH

    Note: Alternatively, to create an SSL profile to order SSL ciphers by strength using the tmsh utility, use the following command syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers DEFAULT:@STRENGTH

Configuring the SSL profile to block a specific SSL version

Note: Beginning in BIG-IP 11.5.0, the SSLv3 protocol is disabled in the DEFAULT SSL ciphers. For information, refer to SOL15022: The SSLv3 protocol is disabled in the DEFAULT SSL ciphers.

Impact of procedure: Configuring the profile to block a specific SSL version may cause certain client connections to fail.

  1. Log in to the Configuration utility.
  2. Navigate to Local Traffic > Profiles.
  3. From the SSL menu, select Client.
  4. Click Create.
  5. Type a name for the SSL profile.
  6. From the Parent Profile menu, select clientssl.
  7. From the Configuration menu, select Advanced.
  8. For Ciphers, click the Custom box.
  9. In the Ciphers box, type the cipher string.

    For example, the following string allows the default ciphers for the SSL profile and block SSLv3:

    DEFAULT:!SSLv3

    Note: Alternatively, to create an SSL profile to block SSLv3 using the tmsh utility, use the following command syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers DEFAULT:!SSLv3

Configuring the SSL profile to use specific ciphers from the COMPAT SSL stack

Impact of procedure: Configuring the profile to use ciphers from the COMPAT SSL stack may result in less than optimal SSL performance for the virtual server.

  1. Log in to the Configuration utility.
  2. Navigate to Local Traffic > Profiles.
  3. From the SSL menu, select Client.
  4. Click Create.
  5. Type a name for the SSL profile.
  6. From the Parent Profile menu, select clientssl.
  7. From the Configuration menu, select Advanced.
  8. For Ciphers, click the Custom box.
  9. In the Ciphers box, type the cipher string.

    For example, the following string allows DHE ciphers for the profile:

    COMPAT+DHE

    Note: Alternatively, to create an SSL profile that allows DHE ciphers using the tmsh utility, use the following command syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers COMPAT+DHE

Configuring the SSL profile to use ciphers from the NATIVE and COMPAT SSL stacks

Impact of procedure: Configuring the profile to use ciphers from the NATIVE and COMPAT SSL stacks may result in low-encryption SSL connections.

  1. Log in to the Configuration utility.
  2. Navigate to Local Traffic > Profiles.
  3. From the SSL menu, select Client.
  4. Click Create.
  5. Type a name for the SSL profile.
  6. From the Parent Profile menu, select clientssl.
  7. From the Configuration menu, select Advanced.
  8. For Ciphers, click the Custom box.
  9. In the Ciphers box, type the cipher string.

    For example, the following string allows ciphers from the NATIVE and COMPAT SSL stacks:

    COMPAT:NATIVE

    Note: Alternatively, to create an SSL profile that allows ciphers from the NATIVE and COMPAT SSL stacks using the tmsh utility, use the following command syntax:

    tmsh create /ltm profile client-ssl <profile_name> ciphers COMPAT:NATIVE

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)