1 ) Why there is ALL and default
ALL is the list of all supported ciphers.
DEFAULT is the list of ciphers in the standard SSL profile, and provides a combination of useful and generally supported ciphers.
There are ciphers in ALL that are not recommended for general use. They are provided because they may be used in some specific circumstances.
2 ) Since i am using default (ciphers DEFAULT) , I don't need to care about all ?
You should always evaluate the ciphers supported in DEFAULT and compare them to your requirements. For example, DEFAULT may not provide a sufficiently strong score against an external ranking system like Qualsys (due to the wider range of ciphers provided for client compatibility).
3 ) What does this command exactly doing ?
4) tmm --clientciphers 'ALL:!EXPORT:!RC4:!DES:!ADH:!EDH:!SSLv3:!TLSv1:!SHA1'
From the ALL list of available ciphers, remove the following
* EXPORT quality ciphers (EXPORT ciphers are weakened ciphers with smaller keys)
-
RC4 based ciphers (a stream cipher that is no longer considered secure)
-
DES based ciphers that are now considered insecure
-
AHD Anonymous Diffie-Hellman is an unauthenticated Diffie-Hellman exchange, and should not be used.
-
EDH Ephemeral Diffie-Hellman exchange. On LTM these are DHE_* ciphers. Some implementations of 1024-bit DHE are considered weak because they use common parameters allowing a pregenerated parameter attack. The F5 implementation of 1024-bit DHE is not susceptible to this because the parameters are regenerated hourly.
-
SSLv3 This excludes ciphers that support the SSLv3 SSL/TLS protocol version - SSLv3 has weaknesses and should not be used.
-
TLSv1 This excludes ciphers that support the TLSv1.0 SSL/TLS protocol version
-
SHA1 This excludes ciphers that use the SHA1 cryptographic hash
K13171: Configuring the cipher strength for SSL profiles explains the difference between
!
and
-
5 )The above command will remove !RC4 from the box forever ?
It removes RC4 from the specific clientSSL profile.
N.B. - do not modify the default clientssl profile directly. Create a new profile with your customized cipher string, and use the new profile as the parent for your specific clientSSL profiles.