Before the BIG-IP® system can process SSL traffic, you'll need to define the cipher string you want the system to use when negotiating security settings with client or server systems. Typing a raw cipher string on the system is tedious and can easily contain typos. It can also be unsecure, since the cipher string could inadvertently cause the system to negotiate in a way that you didn't intend.
To solve these problems, you can use a pre-built cipher string, known as a cipher group. A pre-built cipher group is a named, pre-built set of partial cipher strings (known as cipher rules) and a set of instructions that the system uses to create the final cipher string for SSL negotiation.
All pre-built cipher groups are available on the BIG-IP system, ready for you to assign to a Client SSL or Server SSL profile. They are:
For example, this illustration shows the pre-built cipher group /Common/f5-ecc. The contents of this cipher group are the cipher rule of the same name (/Common/f5-ecc), which contains the cipher string ECDHE:ECDHE_ECDSA (not shown). You can see a preview of the resulting cipher string in the Cipher Audit area of the screen:
The BIG-IP® system supports a large set of cipher suites that you can choose from to build the cipher string used for security negotiation.
Supported cipher suites include various combinations of encryption algorithms and authentication mechanisms, including RSA (Rivest Shamir Adleman), DSA (Digital Signature Algorithm), and ECDSA (Elliptic Curve Digital signature Algorithm).
The system includes a default cipher string named DEFAULT, which contains a subset of the cipher suites that the BIG-IP system supports.
There are a few tasks you need to perform to configure a pre-built cipher string that the BIG-IP® system will use for SSL negotiation.
This illustration shows the order that you need to perform these tasks in.
Before you configure a cipher string for the BIG-IP® system to use in SSL negotiations with client or server systems, you need to determine whether you can use a pre-built cipher group or whether you'll need to create a custom cipher group. You do this by viewing each pre-built cipher group on the system..
For example, this shows the cipher suites included in the pre-built cipher rule named /Common/f5-ecc.
You specify the cipher string that the BIG-IP system uses to negotiate security settings with a client or server system, by assigning a cipher group to a Client SSL or Server SSL profile.