NimbostratusHi,
Please if someone can guide me as to how to configure specific cipher "AES256-SHA256" for server SSL profile. The server side certificate is using "AES256-SHA256" so they want it to use this. I am using version 11.4.1. Although the Default Cipher for this version supports if but still we want to force F5 to use this Cipher. Any help would be great.
MVPopenssl s_client -connect 10.x.x.x:443 -cipher AES256-SHA256
...
SSL handshake has read 1244 bytes and written 489 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
putting that ciper in the cipher block has always worked fine for me.
EmployeeI tested "AES256-SHA256" using openssl s_server against the end server.
I think technically you should be using openssl s_client to simulate the BIG-IP's role in communicating with the server. The client (BIG-IP) will send a list of ciphers that it can support to the server in its initial ClientHello message, and the server will pick a cipher from that list. That's generally how it works anyway. So if the client only presents one cipher, and the server supports that cipher, then that's what they will negotiate.
EmployeeNegating everything from the DEFAULT stack is one way to do it, but if you exclusively just want this one cipher, then you could specify it in the Cipher block of the SSL profile:
AES256-SHA256
From the command line:
tmm --serverciphers 'AES256-SHA256'
This should produce a single TLS1.2 cipher suite.
CirrostratusHi Mohanish,
If you want to configure specific cipher you have to negate everything which is above this cipher .
You can check serverside Cipher list with tmm --serverciphers ''
Nimbostratus