Can i prioritize the cipher suites in the ssl profile. For example if I have the following 4 cipher suites, how do I arrange them based on priority. I want them in following order where 1 is the highest priority and 4 is the lowest? 1 - RSA_WITH_RC4_128_SHA 2 - RSA_WITH_AES_256_CBC_SHA 3 - RSA_WITH_AES_128_CBC_SHA 4 - RSA_WITH_3DES_EDE_CBC_SHA

Yes you can. Just add them from left to right, just like you've done. You can find the "short names" here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html /Patrik

A tip is to set up a virtual server for testing and test with Qualys SSL labs. Then you can see the browser compatibility. /Patrik

The last one should be DES-CBC3-SHA. "!" means that you DON'T want the cipher in the list and you separate each cipher with a ":". Here's a ok, if a bit outdated article about cipher strings: https://devcentral.f5.com/articles/ssl-profiles-part-4-cipher-suites /Patrik

Hi Guys, Is there a way to prioritize the Ciphers that support Forward Secrecy over other ciphers....

How to prioritize cipher suites on F5

22 Replies

Techgeeeg
Nimbostratus
Nov 05, 2015
Hi Brad,

Apologies if I didnt get your above reply, my query was that I want to set the ciphers in the order that the the Ciphers which offer PFS should come first and than the ones which don't offer PFS. So is it possible to do this on F5? does your above reply show the ciphers set in the same order that the ciphers which order PFS are placed first and the ones which don't offer this are placed below??
- Brad_Parker
  Cirrus
  Nov 05, 2015
  Yes, the string above prioritizes PFS over non-PFS. Anything that contains ECDHE or DHE are PFS. Everything else, is not.
Techgeeeg
Nimbostratus
Nov 21, 2015
Hi Brad,

Thanks man that did the job now I only have 128 bit and 256 bits in the list I also want to include the 192 bit ciphers in the list so is it possible or they all use may be 3DES my current cipher string is as under

!EXPORT:!SSLv3:!SSLv2:!DTLSv1:!MD5:!RC4:!TLSv1:!3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES
- Brad_Parker
  Cirrus
  Nov 21, 2015
  Well the 192bit ciphers are 3DES and in actuality they are 168 since only the first 56bits are used in each key. Then the first key is reused as the third key making it only effectively a 112bit cipher. This is why 3DES is losing favorability as being secure. I know it's a very simplified explanation but 192bit 3DES is now only considered to be effectively 112bits.
Techgeeeg_28888
Nimbostratus
Nov 21, 2015
Hi Brad,

Thanks man that did the job now I only have 128 bit and 256 bits in the list I also want to include the 192 bit ciphers in the list so is it possible or they all use may be 3DES my current cipher string is as under

!EXPORT:!SSLv3:!SSLv2:!DTLSv1:!MD5:!RC4:!TLSv1:!3DES:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES
- Brad_Parker
  Cirrus
  Nov 21, 2015
  Well the 192bit ciphers are 3DES and in actuality they are 168 since only the first 56bits are used in each key. Then the first key is reused as the third key making it only effectively a 112bit cipher. This is why 3DES is losing favorability as being secure. I know it's a very simplified explanation but 192bit 3DES is now only considered to be effectively 112bits.
Techgeeeg
Nimbostratus
Nov 21, 2015
Thanks Brad

Forum Discussion

How to prioritize cipher suites on F5

22 Replies

Recent Discussions

iRule resulting in too many redirects

ASM cookie, modifying "domain" field

URL

service profile HTTP in LTM v16.1?

Azure SAML - F5 APM

Related Content

Cipher Suites Supported (12.1.5.3)

Cipher Suite Practices and Pitfalls

Disabling Specific Weak Cipher Suites

Cipher suite mismatch advertisement/warning

SSL Profiles Part 4: Cipher Suites