Before the BIG-IP® system can process SSL traffic, you need to define the cipher string that you want the system to use when negotiating security settings with client or server systems.
Typing a raw cipher string on the system is tedious and can easily contain typos. It can also be unsecure, since the cipher string could inadvertently cause the system to negotiate in a way that you didn't intend.
To avoid these problems, you can use cipher rules and cipher groups. With cipher rules and groups, you instruct the BIG-IP system which cipher suites to include and exclude, and the system will build the cipher string for you. This illustration shows the main screen for creating a cipher group.
Use of cipher groups and cipher rules is optional.
The BIG-IP® system supports a large set of cipher suites that you can choose from to build the cipher string used for security negotiation.
Supported cipher suites include various combinations of encryption algorithms and authentication mechanisms, including RSA (Rivest Shamir Adleman), DSA (Digital Signature Algorithm), and ECDSA (Elliptic Curve Digital signature Algorithm).
The system includes a default cipher string named DEFAULT, which contains a subset of the cipher suites that the BIG-IP system supports.
A cipher rule is a partial cipher string, with a name, that contains one or more cipher suites. You can combine these cipher rules to create a custom cipher group, which the BIG-IP® system uses to build the final cipher string that the BIG-IP system will use for SSL negotiation with client and server systems.
An example of a cipher rule might be one that specifies only cipher suites using a particular bulk encryption algorithm or a particular key exchange algorithm.
The BIG-IP system offers a set of pre-built cipher rules, with names containing the prefix f5-. This table lists these cipher rules and the cipher strings they represent.
|Cipher rule name||Associated cipher string|
If none of the pre-built cipher rules contains the cipher suites you need, you can create your own cipher rules to include in a custom cipher group. You can also combine your own cipher rules with pre-built ones.
Here's an example of a custom cipher rule that you can create for an Elliptic Curve cipher suite:
A cipher group contains a list of cipher rules, and the instructions that the BIG-IP® system needs for building the cipher string it will use for security negotiation. The instructions tell the system which cipher rules to include in the string, and how to apply them (allow, disallow, and so on, and in what order).
The BIG-IP system offers a few pre-built cipher groups that you can choose from to use as is to build your final cipher string, However, it's common to create your own custom cipher group instead.
This illustration shows an example of a custom cipher group. Using this cipher group, the BIG-IP system builds the final cipher string using a user-created custom cipher rule named /Common/my_ecdhe_rsa and the pre-built cipher rule /Common/f5-default.
Notice that the system will exclude from the string any cipher suites defined in the pre-built cipher rule /Common/f5-hw_keys.
Also notice that the cipher group displays a preview of the final cipher string after the instructions are applied.
For security and performance reasons, consider the following recommendations:
There are a few tasks you need to perform to use cipher rules and cipher groups to configure the cipher string that the BIG-IP® system will use for SSL negotiation.
This illustration shows the order that you need to perform these tasks in.
Before you create and deploy a custom cipher string, you can review the pre-built cipher groups on the BIG-IP® system to see if any of them already contains the cipher suites you need.
For example, this shows the pre-built cipher group /Common/f5-ecc and the cipher suites included in it.
When you create your own cipher rules for a custom cipher group, the BIG-IP® system can build a cipher string that includes or excludes the cipher suites you need for negotiating SSL connections.
You build a final, custom cipher string by creating a cipher group. A cipher group contains the cipher rules and instructions that the BIG-IP® system needs for building the cipher string it will use for security negotiation with a client or server system.
For example, this shows the cipher suites included in the pre-built cipher rule named /Common/f5-ecc.
Here's an example of a list of available cipher rules that you might see within a cipher group. Notice that we've selected both a pre-built cipher rule and a custom cipher rule:
Here we see that we're instructing the BIG-IP system to allow, during security negotiation, the cipher suites contained in the selected cipher rules:
Specifying a custom cipher group within a particular Client SSL or Server SSL profile tells the BIG-IP system which cipher string to use when negotiating security settings.
This shows a custom cipher group selected for the Ciphers setting: