Manual Chapter : Applying a Pre-built Cipher String for SSL Negotiation

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP APM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP Link Controller

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP Analytics

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP LTM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP PEM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP DNS

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
Manual Chapter

Overview: Using a pre-built cipher string

Before the BIG-IP® system can process SSL traffic, you'll need to define the cipher string you want the system to use when negotiating security settings with client or server systems. Typing a raw cipher string on the system is tedious and can easily contain typos. It can also be unsecure, since the cipher string could inadvertently cause the system to negotiate in a way that you didn't intend.

To solve these problems, you can use a pre-built cipher string, known as a cipher group. A pre-built cipher group is a named, pre-built set of partial cipher strings (known as cipher rules) and a set of instructions that the system uses to create the final cipher string for SSL negotiation.

All pre-built cipher groups are available on the BIG-IP system, ready for you to assign to a Client SSL or Server SSL profile. They are:

  • /Common/f5-default
  • /Common/f5-aes
  • /Common/f5-ecc
  • /Common/f5-hw_keys
  • /Common/f5-secure

For example, this illustration shows the pre-built cipher group /Common/f5-ecc. The contents of this cipher group are the cipher rule of the same name (/Common/f5-ecc), which contains the cipher string ECDHE:ECDHE_ECDSA (not shown). You can see a preview of the resulting cipher string in the Cipher Audit area of the screen:

About BIG-IP cipher support

The BIG-IP® system supports a large set of cipher suites that you can choose from to build the cipher string used for security negotiation.

Supported cipher suites include various combinations of encryption algorithms and authentication mechanisms, including RSA (Rivest Shamir Adleman), DSA (Digital Signature Algorithm), and ECDSA (Elliptic Curve Digital signature Algorithm).

The system includes a default cipher string named DEFAULT, which contains a subset of the cipher suites that the BIG-IP system supports.

Task summary for configuring a pre-built cipher string

There are a few tasks you need to perform to configure a pre-built cipher string that the BIG-IP® system will use for SSL negotiation.

This illustration shows the order that you need to perform these tasks in.

Confirm the ability to use a pre-built cipher string

Before you configure a cipher string for the BIG-IP® system to use in SSL negotiations with client or server systems, you need to determine whether you can use a pre-built cipher group or whether you'll need to create a custom cipher group. You do this by viewing each pre-built cipher group on the system..

  1. On the Main tab, click Local Traffic > Ciphers > Groups .
    The screen displays a list of pre-built cipher groups.
  2. In the Name column, click the name of a cipher group.
    For example, click /Common/f5-ecc.
  3. In the Available Cipher Rules list, find the corresponding cipher rule and click the plus sign to view the cipher suites included in the rule.

    For example, this shows the cipher suites included in the pre-built cipher rule named /Common/f5-ecc.

  4. Click Cancel.
  5. As an option, you can repeat this task for any other pre-built cipher groups.
After doing this task, if you found no pre-built cipher group containing all of the cipher suites you need for your cipher string, you'll need to create your own custom cipher group instead.

Specify a cipher string within an SSL traffic filter

Before starting this task, make sure that the relevant traffic filter for managing SSL traffic (either a Client SSL or Server SSL profile) exists on the BIG-IP® system.

You specify the cipher string that the BIG-IP system uses to negotiate security settings with a client or server system, by assigning a cipher group to a Client SSL or Server SSL profile.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client or Local Traffic > Profiles > SSL > Server .
    The Client SSL or Server SSL profile list screen opens.
  2. Click the name of a profile.
  3. From the Configuration list, select Advanced.
  4. On the right side of the screen, select the Custom check box.
  5. For the Ciphers setting, click Cipher Group and from the list, select a cipher group.
  6. Click Update.

Activate a cipher string for an application flow

Before starting this task, make sure that the virtual server for the relevant SSL application flow exists on the BIG-IP® system.
You activate a cipher string for a specific application flow by assigning a Client SSL or Server SSL profile (or both) to a virtual server. This causes the BIG-IP system to use the cipher group specified in the profile to build the cipher string for negotiating security settings for SSL connections.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of a virtual server.
  3. From the Configuration list, select Advanced.
  4. For the SSL Profile (Client) and the SSL Profile (Server) settings, from the Available list, select the name of the SSL profile you previously created, and move the name to the Selected list:
    Using the SSL Profile (Server) setting is optional.
  5. Click Update to save the changes.
The BIG-IP system now uses the cipher group specified in an SSL profile to build a cipher string to use when negotiating security for the relevant application flow.