SSL Profiles and Strength

but shouldn't I be able to elevate up from 128 if my browser (talking https here) can support it?you have to modify ciphers setting in clientssl profile.

 

 

sol7815: Configuring the cipher strength for SSL profiles (9.x - 10.x)

 

http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7815.html

 

 

just in case this is for config utility (webui).

 

 

sol6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x)

 

http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6768.html

 

 

Should I have something set differently in the BigIP to default to the highest level possible or should I be changing a client browser setting to increase my rate?since we can't control all client, i prefer setting it on bigip side.

Thanks for the links, that was good information and it validated some of what I've been doing. I had already augmented the ciphers to block some that I didn't want to support. Essentially, for strength I've blocked low and still support Medium and High.

 

 

As I read that post, it appears that the BigIP will 'support' the medium and high ciphers. Is there a way I can order the ciphers so that if the client supports high it uses it? Perhaps this is something that has to be done with an iRule, changing the VS or profile based on the capability of the client? Directing the client to the profile that supports ONLY high if they can support it.

 

 

This is not for the config utility by the way, but thanks for offering that up.

you can use @STRENGTH instead of @SPEED.

this is 10.2.3.

[root@ve1023:Active] config  tmm --clientciphers '!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:   5 RC4-SHA                         128  SSL3  Native RC4    SHA    RSA
 1:   5 RC4-SHA                         128  TLS1  Native RC4    SHA    RSA
 2:   5 RC4-SHA                         128  TLS1.2  Native RC4    SHA    RSA
 3:  47 AES128-SHA                      128  SSL3  Native AES    SHA    RSA
 4:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
 5:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
 6:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA
 7:  53 AES256-SHA                      256  SSL3  Native AES    SHA    RSA
 8:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
 9:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
10:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
11:  10 DES-CBC3-SHA                    192  SSL3  Native DES    SHA    RSA
12:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
13:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
14:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
15:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA
16:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA

[root@ve1023:Active] config  tmm --clientciphers '!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@STRENGTH'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  53 AES256-SHA                      256  SSL3  Native AES    SHA    RSA
 1:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
 2:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
 3:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
 4:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA
 5:  10 DES-CBC3-SHA                    192  SSL3  Native DES    SHA    RSA
 6:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
 7:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
 8:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
 9:   5 RC4-SHA                         128  SSL3  Native RC4    SHA    RSA
10:   5 RC4-SHA                         128  TLS1  Native RC4    SHA    RSA
11:   5 RC4-SHA                         128  TLS1.2  Native RC4    SHA    RSA
12:  47 AES128-SHA                      128  SSL3  Native AES    SHA    RSA
13:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
14:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
15:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA
16:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA

Great, that worked! So as a follow up, does doing this make any sense? I wanted to prove I could make use of the 256 bit key, but in reality is there really any added security to offset that performance hit?

i do not have an answer for you but just thinking key length is not an only factor - algorithm has also effect.

 

 

BEAST is one example.

 

 

sol13400: SSL 3.0 / TLS 1.0 "BEAST" vulnerability CVE-2011-3389

 

http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13400.html

 

 

just my 2c.