Applies To:

Show Versions Show Versions

Manual Chapter: Configuring a custom cipher string for SSL negotiation
Manual Chapter
Table of Contents   |   Next Chapter >>

Overview: Configuring a custom cipher string for SSL negotiation

Before the BIG-IP® system can process SSL traffic, you need to define the cipher string that you want the system to use when negotiating security settings with client or server systems.

Typing a raw cipher string on the system is tedious and can easily contain typos. It can also be unsecure, since the cipher string could inadvertently cause the system to negotiate in a way that you didn't intend.

To avoid these problems, you can use cipher rules and cipher groups. With cipher rules and groups, you instruct the BIG-IP system which cipher suites to include and exclude, and the system will build the cipher string for you. This illustration shows the main screen for creating a cipher group.

Use of cipher groups and cipher rules is optional.

About BIG-IP cipher support

The BIG-IP® system supports a large set of cipher suites that you can choose from to build the cipher string used for security negotiation.

Supported cipher suites include various combinations of encryption algorithms and authentication mechanisms, including RSA (Rivest Shamir Adleman), DSA (Digital Signature Algorithm), and ECDSA (Elliptic Curve Digital signature Algorithm).

The system includes a default cipher string named DEFAULT, which contains a subset of the cipher suites that the BIG-IP system supports.

What is a cipher rule?

A cipher rule is a partial cipher string, with a name, that contains one or more cipher suites. You can combine these cipher rules to create a custom cipher group, which the BIG-IP® system uses to build the final cipher string that the BIG-IP system will use for SSL negotiation with client and server systems.

An example of a cipher rule might be one that specifies only cipher suites using a particular bulk encryption algorithm or a particular key exchange algorithm.

Pre-built cipher rules

The BIG-IP system offers a set of pre-built cipher rules, with names containing the prefix f5-. This table lists these cipher rules and the cipher strings they represent.

Table 1. Pre-built cipher rules and their contents
Cipher rule name Associated cipher string
f5-aes AES
f5-default DEFAULT
f5-ecc ECDHE:ECDHE_ECDSA
f5-hw_keys ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-CBC-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH
f5-secure ECDHE:RSA:!SSLV3:!RC4:!EXP:!DES

Custom cipher rules

If none of the pre-built cipher rules contains the cipher suites you need, you can create your own cipher rules to include in a custom cipher group. You can also combine your own cipher rules with pre-built ones.

Here's an example of a custom cipher rule that you can create for an Elliptic Curve cipher suite:

What is a cipher group?

A cipher group contains a list of cipher rules, and the instructions that the BIG-IP® system needs for building the cipher string it will use for security negotiation. The instructions tell the system which cipher rules to include in the string, and how to apply them (allow, disallow, and so on, and in what order).

Pre-built cipher groups

The BIG-IP system offers a few pre-built cipher groups that you can choose from to use as is to build your final cipher string, However, it's common to create your own custom cipher group instead.

Custom cipher groups

This illustration shows an example of a custom cipher group. Using this cipher group, the BIG-IP system builds the final cipher string using a user-created custom cipher rule named /Common/my_ecdhe_rsa and the pre-built cipher rule /Common/f5-default.

Notice that the system will exclude from the string any cipher suites defined in the pre-built cipher rule /Common/f5-hw_keys.

Also notice that the cipher group displays a preview of the final cipher string after the instructions are applied.

Best practices for BIG-IP cipher strings

For security and performance reasons, consider the following recommendations:

  • Always append cipher suites to the DEFAULT cipher string.
  • Include a cipher string that specifies the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
  • Disable ADH ciphers but also include the keyword HIGH. To do this, just include both !ADH and :HIGH in your cipher string.
  • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses Forward Privacy, which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. And by the way, diagnostic tools like ssldump won't work when you're using Forward Secrecy.
  • Disable EXPORT ciphers by including !EXPORT in the cipher string.
  • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is unsecure. Simply include :!SSLv3 in any cipher string you build.

View all cipher suites supported by BIG-IP system

Before you start this task, make sure your user account gives you permission to access the BIG-IP® advanced shell.
You can use the BIG-IP advanced shell to view all cipher suites that the BIG-IP system supports.
  1. Using a console access application such as PuTTY, log in to the advanced shell on the BIG-IP system.
  2. At the system prompt, type either tmm --clientciphers all or tmm --serverciphers all.
    The system lists all supported cipher suites for either client-side or server-side traffic.

Task summary for configuring a custom cipher string

There are a few tasks you need to perform to use cipher rules and cipher groups to configure the cipher string that the BIG-IP® system will use for SSL negotiation.

This illustration shows the order that you need to perform these tasks in.

Confirm the need for a custom cipher string

Before you create and deploy a custom cipher string, you can review the pre-built cipher groups on the BIG-IP® system to see if any of them already contains the cipher suites you need.

  1. On the Main tab, click Local Traffic > Ciphers > Groups .
    The screen displays a list of pre-built cipher groups.
  2. In the Name column, click the name of a cipher group.
    For example, click /Common/f5-ecc.
    The system displays the contents of the cipher group.
  3. In the Available Cipher Rules list, find the corresponding cipher rule and click the plus sign to view the cipher suites included in the rule.

    For example, this shows the pre-built cipher group /Common/f5-ecc and the cipher suites included in it.

    If the cipher suites in the corresponding cipher rule are not sufficient for your cipher string, you'll need to create your own custom cipher group.
  4. Click Cancel.
  5. As an option, you can repeat this task for any other pre-built cipher groups.

Create partial cipher strings to include in a custom cipher string

When you create your own cipher rules for a custom cipher group, the BIG-IP® system can build a cipher string that includes or excludes the cipher suites you need for negotiating SSL connections.

  1. On the Main tab, click Local Traffic > Ciphers > Rules .
    The screen displays a list of pre-built cipher rules.
  2. Click Create.
  3. In the Name field, type a name for the cipher rule.
    Note: Never include the prefix f5- in a cipher rule name. This prefix is reserved for pre-built cipher rules only.

    For example:

  4. In the Cipher String field, type a cipher string that represents one or more cipher suites.

    For example:

  5. Click Finished.
The cipher rule now appears within any custom cipher group, in the list of available cipher rules.

Build a custom cipher string

Before starting this task, make sure you've confirmed the need to create a custom cipher string instead of using a pre-built cipher group.

You build a final, custom cipher string by creating a cipher group. A cipher group contains the cipher rules and instructions that the BIG-IP® system needs for building the cipher string it will use for security negotiation with a client or server system.

  1. On the Main tab, click Local Traffic > Ciphers > Groups .
    The screen displays a list of pre-built cipher groups.
  2. Click Create.
  3. In the Name field, type a name for the cipher group.
    Note: Never include the prefix f5- in a cipher rule name. This prefix is reserved for pre-built cipher groups only.
  4. If you created any custom rules, then in the Cipher Creation area of the screen in the Available Cipher Rules list, verify that the custom rules appear in the list.
  5. For each cipher rule in the Available Cipher Rules list, click the plus sign to view the cipher suites included in the rule.

    For example, this shows the cipher suites included in the pre-built cipher rule named /Common/f5-ecc.

  6. In the Available Cipher Rules list, select the boxes for the cipher rules you want to allow for negotiating security for SSL connections.
    Important: We strongly recommend that you select the cipher rule /Common/f5-default, and for added security, select other cipher rules, too.

    Here's an example of a list of available cipher rules that you might see within a cipher group. Notice that we've selected both a pre-built cipher rule and a custom cipher rule:

  7. Move the selected cipher rules to the Allow the following box.

    Here we see that we're instructing the BIG-IP system to allow, during security negotiation, the cipher suites contained in the selected cipher rules:

  8. Again from the Available Cipher Rules list, select the boxes for the cipher rules you want to restrict the allowed cipher rules to when negotiating security for SSL connections.
  9. Using the Move button, move the selected cipher rules to the Restrict the Allowed list to the following box.
  10. If you want to exclude any cipher rules from the allowed list, then from the Available Cipher Rules list, select the boxes for the rules you want to exclude.
  11. Using the Move button, move the selected cipher rules to the Exclude the following from the Allowed list box.
  12. From the Order list, select the order that you want the BIG-IP system to use when negotiating SSL connections.
    The choices are: Default, Speed, Strength, FIPS, and Hardware.
  13. In the Cipher Audit area of the screen, view the cipher string that the BIG-IP system will construct based on the selections you made in the previous steps.
  14. Click Finished.
After you complete this task, the BIG-IP system has a custom cipher group that the BIG-IP system will use to build the final cipher string.

Specify a custom cipher string within an SSL traffic filter

Before starting this task, make sure that the relevant traffic filter for managing SSL traffic (either a Client SSL or Server SSL profile) exists on the BIG-IP® system.

Specifying a custom cipher group within a particular Client SSL or Server SSL profile tells the BIG-IP system which cipher string to use when negotiating security settings.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client or Local Traffic > Profiles > SSL > Server .
    The Client SSL or Server SSL profile list screen opens.
  2. Click the name of a profile.
  3. From the Configuration list, select Advanced.
  4. On the right side of the screen, select the Custom check box.
  5. For the Ciphers setting, click Cipher Group and from the list, select a custom cipher group.

    This shows a custom cipher group selected for the Ciphers setting:

  6. Click Update.

Activate a cipher string for an application flow

Before starting this task, make sure that the virtual server for the relevant SSL application flow exists on the BIG-IP® system.
You activate a cipher string for a specific application flow by assigning a Client SSL or Server SSL profile (or both) to a virtual server. This causes the BIG-IP system to use the cipher group specified in the profile to build the cipher string for negotiating security settings for SSL connections.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of a virtual server.
  3. From the Configuration list, select Advanced.
  4. For the SSL Profile (Client) and the SSL Profile (Server) settings, from the Available list, select the name of the SSL profile you previously created, and move the name to the Selected list:
    Using the SSL Profile (Server) setting is optional.
  5. Click Update to save the changes.
The BIG-IP system now uses the cipher group specified in an SSL profile to build a cipher string to use when negotiating security for the relevant application flow.
Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)