Can i prioritize the cipher suites in the ssl profile. For example if I have the following 4 cipher suites, how do I arrange them based on priority. I want them in following order where 1 is the highest priority and 4 is the lowest? 1 - RSA_WITH_RC4_128_SHA 2 - RSA_WITH_AES_256_CBC_SHA 3 - RSA_WITH_AES_128_CBC_SHA 4 - RSA_WITH_3DES_EDE_CBC_SHA

Yes you can. Just add them from left to right, just like you've done. You can find the "short names" here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html /Patrik

A tip is to set up a virtual server for testing and test with Qualys SSL labs. Then you can see the browser compatibility. /Patrik

The last one should be DES-CBC3-SHA. "!" means that you DON'T want the cipher in the list and you separate each cipher with a ":". Here's a ok, if a bit outdated article about cipher strings: https://devcentral.f5.com/articles/ssl-profiles-part-4-cipher-suites /Patrik

Hi Guys, Is there a way to prioritize the Ciphers that support Forward Secrecy over other ciphers....

How to prioritize cipher suites on F5

22 Replies

Patrik_Jonsson
MVP
Oct 21, 2015
Yes you can. Just add them from left to right, just like you've done. You can find the "short names" here:

https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html

/Patrik
Patrik_Jonsson
MVP
Oct 21, 2015
A tip is to set up a virtual server for testing and test with Qualys SSL labs. Then you can see the browser compatibility.

/Patrik
Patrik_Jonsson
MVP
Oct 22, 2015
The last one should be DES-CBC3-SHA.

"!" means that you DON'T want the cipher in the list and you separate each cipher with a ":".

Here's a ok, if a bit outdated article about cipher strings:

https://devcentral.f5.com/articles/ssl-profiles-part-4-cipher-suites

/Patrik
Techgeeeg_28888
Nimbostratus
Nov 03, 2015
Hi Guys,

Is there a way to prioritize the Ciphers that support Forward Secrecy over other ciphers....
- nathe
  Cirrocumulus
  Nov 03, 2015
  if you append @STRENGTH to the end of the cipher string i think that will prioritise PFS ciphers from the BIG-IP. Someone may correct me on this....
Techgeeeg
Nimbostratus
Nov 03, 2015
Hi Guys,

Is there a way to prioritize the Ciphers that support Forward Secrecy over other ciphers....
- nathe
  Cirrocumulus
  Nov 03, 2015
  if you append @STRENGTH to the end of the cipher string i think that will prioritise PFS ciphers from the BIG-IP. Someone may correct me on this....
Techgeeeg
Nimbostratus
Nov 03, 2015
Actually I already did that but it puts the ciphers in the order of no. of bits like first it will put all 256 then 192 then 128 n so on.... but not in the order of PFS

Brad_Parker

Cirrus

Nov 03, 2015

'RSA+RC4-SHA:AES256-SHA:AES128-SHA:RSA+3DES'

will order the ciphers as requested.

tmm --clientciphers 'RSA+RC4-SHA:AES256-SHA:AES128-SHA:RSA+3DES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:     5  RC4-SHA                          128  SSL3    Native  RC4       SHA     RSA
 1:     5  RC4-SHA                          128  TLS1    Native  RC4       SHA     RSA
 2:     5  RC4-SHA                          128  TLS1.1  Native  RC4       SHA     RSA
 3:     5  RC4-SHA                          128  TLS1.2  Native  RC4       SHA     RSA
 4:    53  AES256-SHA                       256  SSL3    Native  AES       SHA     RSA
 5:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA
 6:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA
 7:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
 8:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
 9:    47  AES128-SHA                       128  SSL3    Native  AES       SHA     RSA
10:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA
11:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA
12:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
13:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
14:    10  DES-CBC3-SHA                     168  SSL3    Native  DES       SHA     RSA
15:    10  DES-CBC3-SHA                     168  TLS1    Native  DES       SHA     RSA
16:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA
17:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA
18:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA

PFS would be prioritized by specifying cipher suites that are PFS first. @STRENGTH really isn't valid any more as it just orders based on bits, not cipher suite. @SPEED is similar as it orders it by smallest bit to largest. i.e.

'!EXPORT:!SSLv3:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES'

tmm --clientciphers '!EXPORT:!SSLv3:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 1: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
 3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
 5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
 6: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
 7: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA
 8: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA
 9: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
10: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1    Native  DES       SHA     ECDHE_RSA
11: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.1  Native  DES       SHA     ECDHE_RSA
12: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.2  Native  DES       SHA     ECDHE_RSA
13:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
14:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
15:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
16:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA
17:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA
18:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
19:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
20:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
21:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA
22:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA
23:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
24:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
25:    10  DES-CBC3-SHA                     168  TLS1    Native  DES       SHA     RSA
26:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA
27:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA
28:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA

Techgeeeg
Nimbostratus
Nov 04, 2015
Hi Brad,

Thanks for the reply..... so what I believe is that by PFS Preference the ciphers can't be set on F5.
- Brad_Parker
  Cirrus
  Nov 04, 2015
  What do you mean by that? The order show above is the preference order with the F5 preferring The ciphers listed first.
Techgeeeg_28888
Nimbostratus
Nov 04, 2015
Hi Brad,

Thanks for the reply..... so what I believe is that by PFS Preference the ciphers can't be set on F5.
- Brad_Parker
  Cirrus
  Nov 04, 2015
  What do you mean by that? The order show above is the preference order with the F5 preferring The ciphers listed first.
Techgeeeg_28888
Nimbostratus
Nov 05, 2015
Hi Brad,

Apologies if I didnt get your above reply, my query was that I want to set the ciphers in the order that the the Ciphers which offer PFS should come first and than the ones which don't offer PFS. So is it possible to do this on F5? does your above reply show the ciphers set in the same order that the ciphers which order PFS are placed first and the ones which don't offer this are placed below??
- Brad_Parker
  Cirrus
  Nov 05, 2015
  Yes, the string above prioritizes PFS over non-PFS. Anything that contains ECDHE or DHE are PFS. Everything else, is not.

Forum Discussion

How to prioritize cipher suites on F5

22 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Cipher Suites Supported (12.1.5.3)

Cipher Suite Practices and Pitfalls

Disabling Specific Weak Cipher Suites

Cipher suite mismatch advertisement/warning

SSL Profiles Part 4: Cipher Suites