SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.

x)

How-To

Original Publication Date: 08/23/2007

Updated Date: 07/13/2012

This article applies to BIG-IP 9.x - 10.x. For information about other versions, refer to the following
article:

SOL13171: Configuring the cipher strength for SSL profiles (11.x)

When configuring a Secure Socket Layer (SSL) profile on the BIG-IP LTM system, you can specify the
ciphers available for SSL connections, or you can use the default cipher string, DEFAULT.
For Client SSL profiles, the definition of the DEFAULT cipher string is as follows:
Note: When you use the ! symbol preceding a cipher, the SSL profile will permanently remove the
cipher from the cipher list, even if it is explicitly stated later in the cipher string later. When you use
the - symbol preceding a cipher, the SSL profile will remove the cipher from the cipher list, but it can
be added back to the cipher list if there are later options that allow it.
Version 10.2.x
!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED
Note: !DES does not exclude the use of 3DES ciphers.
This cipher string is defined as follows:
Parameter

Definition

!SSLv2

Do not use SSL version 2

ALL

Use all SSL ciphers in the default SSL stack

!DH

Do not use DH ciphers

!ADH

Do not use ADH ciphers

!EDH

Do not use EDH ciphers

!MD5

Do not use MD5 ciphers

!EXPORT

Do not use EXPORT grade (weak) ciphers

!DES

Do not use DES ciphers

@SPEED

Order the cipher preference by speed

Version 10.1.x
!SSLv2:ALL:!DH:!ADH:!EDH:@SPEED

This cipher string is defined as follows:

Parameter

Definition

!SSLv2

Do not use SSL version 2

ALL

Use all SSL ciphers in the default SSL stack

!DH

Do not use DH ciphers

!ADH

Do not use ADH ciphers

!EDH

Do not use EDH ciphers

@SPEED

Order the cipher preference by speed

Versions 10.0.0 through 10.0.1

!SSLv2:ALL:!ADH:@SPEED

This cipher string is defined as follows:

Parameter

Definition

!SSLv2

Do not use SSL version 2

ALL

Use all SSL ciphers in the default SSL stack

!ADH

Do not use ADH ciphers

@SPEED

Order the cipher preference by speed

Versions 9.x
!SSLv2:ALL:@SPEED

This cipher string is defined as follows:

Parameter

Definition

!SSLv2

Do not use SSL version 2

ALL

Use all SSL ciphers in the default SSL stack

@SPEED

Order the cipher preference by speed

Important: Due to a known issue in BIG-IP 9.x, SSL connections that uses 192 bit ciphers will fail.
For information, refer to SOL13308: The BIG-IP system does not process 192 bit ciphers when
configured with cipher strength of HIGH

Configuring the cipher strength

A Client SSL profile using default cipher string allows SSL connections with the following cipher
strengths to connect to the virtual server:
Cipher strength

Definition

EXPORT40

Cipher of 40 bits export strength

EXP

Cipher length of 40 or 56 bits export strength

LOW

Cipher strength of 64 bits

MEDIUM

Cipher strength of 128 bits

HIGH

Cipher strength of greater than 128 bits

Note: BIG-IP SSL profiles have the ability to use two different SSL stacks: native (built into TMM)
and compat (built into OpenSSL). The native SSL stack is an optimized SSL stack that the BIG-IP
system uses. The DEFAULT cipher setting in the BIG-IP SSL profiles gives preference to a small mix
of native and compat SSL ciphers at the maximum cipher strength level.
You can configure each SSL profile to use a custom cipher suite that specifies the ciphers and
strengths that will be available for use with client SSL connections using this profile. By applying

different profiles to different virtual servers, you can make some client SSL virtual servers more
permissive than others. For example, you can use this approach to allow only ciphers using 80 bit
encryption or better, thereby enforcing the PCI requirement for strong cryptography and eliminating
Weak Supported SSL Ciphers Suite violations.

Procedures

Configuring the SSL profile to block anonymous ciphers and SSL connections that use less than 128-bit ciphers
Configuring the SSL profile to block anonymous ciphers and SSL connections that use 128-bit ciphers or less
Configuring the SSL profile to block a specific SSL cipher

Configuring the SSL profile to block anonymous ciphers and SSL connections that use less
than 128-bit ciphers
1.
2.
3.
4.
5.
6.
7.
8.
9.

Log in to the Configuration utility.

Navigate to Local Traffic > Profiles.
From the SSL menu, select Client.
Click Create.
Type a name for the SSL profile.
From the Parent Profile menu, select clientssl.
From the Configuration menu, select Advanced.
Select the Custom check box for Ciphers.
In the Ciphers box, enter the following string:

DEFAULT:!ADH:!EXPORT40:!EXP:!LOW
10.

Click Finished.

You must now associate the SSL profile with the virtual server.

Note: Alternatively, to perform the above operation from the BIG-IP system command line, run the
following commands:
bigpipe profile clientssl <name> { ciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW' }
bigpipe save

Configuring the SSL profile to block anonymous ciphers and SSL connections that use 128-bit
ciphers or less
1.
2.
3.
4.
5.
6.
7.
8.
9.

Log in to the Configuration utility.

Navigate to Local Traffic > Profiles.
From the SSL menu, select Client.
Click Create.
Type a name for the SSL profile.
From the Parent Profile menu, select clientssl.
From the Configuration menu, select Advanced.
Select the Custom check box for Ciphers.
In the Ciphers box, enter the following string:

DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!MEDIUM
10.

Click Finished.

You must now associate the SSL profile with the virtual server.

Note: Alternatively, to perform the above operation from the BIG-IP system command line, run the
following commands:

bigpipe profile clientssl <name> { ciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!

MEDIUM' }
bigpipe save

Configuring the SSL profile to block a specific SSL cipher

1.
2.
3.
4.
5.
6.
7.
8.
9.

Log in to the Configuration utility.

Navigate to Local Traffic > Profiles.
From the SSL menu, select Client.
Click Create.
Type a name for the SSL profile.
From the Parent Profile menu, select clientssl.
From the Configuration menu, select Advanced.
Select the Custom check box for Ciphers.
In the Ciphers box, enter the cipher you want to block.
For example, the following string would allow the default ciphers for the SSL profile and block the EXP1024-RC2-CBC-MD5 cipher:

DEFAULT:!EXP1024-RC2-CBC-MD5
10.

Click Finished.

You must now associate the SSL profile with the virtual server.

Note: Alternatively, to perform the above operation from the BIG-IP system command line, run the
following commands:
bigpipe profile clientssl <name> { ciphers 'DEFAULT:!EXP1024-RC2-CBC-MD5' }
bigpipe save

Supplemental Information

SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles
Bigpipe Utility Reference Guide
SOL13308: The BIG-IP system does not process 192 bit ciphers when configured with cipher strength of HIGH
Was this resource helpful in solving your issue?
Yes - this resource was helpful

No - this resource was not helpful

I dont know yet

NOTE: Please do not provide personal information.