Forum Discussion
nitass
Apr 24, 2015Employee
The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.
Which CIPHER settings should I use to add PFS and achieve a A+.i think DHE is included in 11.2.1 but it is not included in default cipher. can you try 'DHE:!SSLv3'?
[root@B4200-R77-S7:Active:Standalone] config tmsh show sys version | head
Sys::Version
Main Package
Product BIG-IP
Version 11.2.1
Build 1306.0
Edition Hotfix HF13
Date Wed Dec 3 15:05:53 PST 2014
[root@B4200-R77-S7:Active:Standalone] config tmm --clientcipher 'DEFAULT:!SSLv3:!RC4'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA
1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA
2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA
3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA
4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA
5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA
6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA
7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA
8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA
9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA
10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA
11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA
12: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA
13: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
[root@B4200-R77-S7:Active:Standalone] config
[root@B4200-R77-S7:Active:Standalone] config tmm --clientcipher 'DHE:!SSLv3'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA
1: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA
2: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA
3: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA
4: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA
5: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA
6: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA
7: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA
8: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA
9: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA
10: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA
11: 21 DHE-RSA-DES-CBC-SHA 64 DTLS1 Native DES SHA EDH/RSA
12: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA
13: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA
14: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA
15: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Native DES SHA EDH/RSA
- Moinul_RonyApr 27, 2015AltostratusThanks. But its not working. Using DHE:!SSLv3 - downgrades to a B, with Cipher Strength going down to 60. Using Native I get a 'F' ~ tmm --clientcipher 'NATIVE:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 12: 9 DES-CBC-SHA 64 TLS1 Native DES SHA RSA 13: 9 DES-CBC-SHA 64 TLS1.1 Native DES SHA RSA 14: 9 DES-CBC-SHA 64 TLS1.2 Native DES SHA RSA 15: 9 DES-CBC-SHA 64 DTLS1 Native DES SHA RSA 16: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 17: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 18: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 19: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA 20: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 21: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 22: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 23: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA 24: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA 25: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA 26: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA 27: 21 DHE-RSA-DES-CBC-SHA 64 DTLS1 Native DES SHA EDH/RSA 28: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA 29: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA 30: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA 31: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Native DES SHA EDH/RSA 32: 98 EXP1024-DES-CBC-SHA 56 TLS1 Native DES SHA RSA 33: 98 EXP1024-DES-CBC-SHA 56 TLS1.1 Native DES SHA RSA 34: 98 EXP1024-DES-CBC-SHA 56 TLS1.2 Native DES SHA RSA 35: 98 EXP1024-DES-CBC-SHA 56 DTLS1 Native DES SHA RSA 36: 8 EXP-DES-CBC-SHA 40 TLS1 Native DES SHA RSA 37: 8 EXP-DES-CBC-SHA 40 TLS1.1 Native DES SHA RSA 38: 8 EXP-DES-CBC-SHA 40 TLS1.2 Native DES SHA RSA 39: 8 EXP-DES-CBC-SHA 40 DTLS1 Native DES SHA RSA 40: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 41: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
- uzi_260320Sep 07, 2016Nimbostratus
Hi Moinul,
Did you ever get PFS working on 11.2.1? I'm in the same situation right now and would appreciate any guidance.
Thanks!