Forum Discussion
5 Replies
- Brian_ThompsonNimbostratus
It appears to be 168bit SSLV3 only, if this is incorrect- please correct me. If it's correct, please mark this solved by submitter.
- What_Lies_Bene1Cirrostratus
A cipher suite won't provide the TLS/SSL version. For the rest, it breaks down like so;
key exchange/agreement : RSA
bulk cipher : 3DES_EDE_CBC - 168bit key size (112 effective)
message authentication : SHA (1) - 128bit key size
Strength-wise I think it's still strong (it's a matter or personal and mathamatical opinion I guess) but AES is obviously now preferred over 3DES. SHA is still fine as far as I know.
I'm sure Kevin will be along to correct me ;-)
- Brian_ThompsonNimbostratus
Okay, that is helpful info. What is the corresponding cipher name in the F5 SSL Profile to enable this and this only? That's the real question I'm attempting to find an answer to
- What_Lies_Bene1Cirrostratus
DES-CBC3-SHA I believe. As this is a 'native' cipher, it will also be full hardware accelerated which is lucky!
- Kevin_StewartEmployee
I'd first direct your attention to Jason Rahm's excellent article on cipher suites:
SSL Profiles Part 4: Cipher Suites
You can actually see what the ciphers are from the command line using the following command:
tmm --ciphersuites 'filter'
where 'filter' is what you're looking for. Steve is absolutely correct that the cipher suite itself doesn't include TLS or SSL, as that's the protocol. So to narrow down the SSL cipher to just "TLS_RSA _WITH_3DES_EDE_CBC_SHA", first do this to see what that would look like:
tmm --clientciphers '!SSLv3:!DTLSv1:DES-CBC3-SHA:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 1: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 2: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA
I think this is what you're looking for, so then use that filter in your client SSL profile and test:
!SSLv3:!DTLSv1:DES-CBC3-SHA:@STRENGTH