Documentos de Académico
Documentos de Profesional
Documentos de Cultura
x)
How-To
This article applies to BIG-IP 9.x - 10.x. For information about other versions, refer to the following
article:
When configuring a Secure Socket Layer (SSL) profile on the BIG-IP LTM system, you can specify the
ciphers available for SSL connections, or you can use the default cipher string, DEFAULT.
For Client SSL profiles, the definition of the DEFAULT cipher string is as follows:
Note: When you use the ! symbol preceding a cipher, the SSL profile will permanently remove the
cipher from the cipher list, even if it is explicitly stated later in the cipher string later. When you use
the - symbol preceding a cipher, the SSL profile will remove the cipher from the cipher list, but it can
be added back to the cipher list if there are later options that allow it.
Version 10.2.x
!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED
Note: !DES does not exclude the use of 3DES ciphers.
This cipher string is defined as follows:
Parameter
Definition
!SSLv2
ALL
!DH
!ADH
!EDH
!MD5
!EXPORT
!DES
@SPEED
Version 10.1.x
!SSLv2:ALL:!DH:!ADH:!EDH:@SPEED
Parameter
Definition
!SSLv2
ALL
!DH
!ADH
!EDH
@SPEED
Definition
!SSLv2
ALL
!ADH
@SPEED
Versions 9.x
!SSLv2:ALL:@SPEED
Definition
!SSLv2
ALL
@SPEED
Important: Due to a known issue in BIG-IP 9.x, SSL connections that uses 192 bit ciphers will fail.
For information, refer to SOL13308: The BIG-IP system does not process 192 bit ciphers when
configured with cipher strength of HIGH
Definition
EXPORT40
EXP
LOW
MEDIUM
HIGH
Note: BIG-IP SSL profiles have the ability to use two different SSL stacks: native (built into TMM)
and compat (built into OpenSSL). The native SSL stack is an optimized SSL stack that the BIG-IP
system uses. The DEFAULT cipher setting in the BIG-IP SSL profiles gives preference to a small mix
of native and compat SSL ciphers at the maximum cipher strength level.
You can configure each SSL profile to use a custom cipher suite that specifies the ciphers and
strengths that will be available for use with client SSL connections using this profile. By applying
different profiles to different virtual servers, you can make some client SSL virtual servers more
permissive than others. For example, you can use this approach to allow only ciphers using 80 bit
encryption or better, thereby enforcing the PCI requirement for strong cryptography and eliminating
Weak Supported SSL Ciphers Suite violations.
Procedures
Configuring the SSL profile to block anonymous ciphers and SSL connections that use less than 128-bit ciphers
Configuring the SSL profile to block anonymous ciphers and SSL connections that use 128-bit ciphers or less
Configuring the SSL profile to block a specific SSL cipher
Configuring the SSL profile to block anonymous ciphers and SSL connections that use less
than 128-bit ciphers
1.
2.
3.
4.
5.
6.
7.
8.
9.
DEFAULT:!ADH:!EXPORT40:!EXP:!LOW
10.
Click Finished.
You must now associate the SSL profile with the virtual server.
Note: Alternatively, to perform the above operation from the BIG-IP system command line, run the
following commands:
bigpipe profile clientssl <name> { ciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW' }
bigpipe save
Configuring the SSL profile to block anonymous ciphers and SSL connections that use 128-bit
ciphers or less
1.
2.
3.
4.
5.
6.
7.
8.
9.
DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!MEDIUM
10.
Click Finished.
You must now associate the SSL profile with the virtual server.
Note: Alternatively, to perform the above operation from the BIG-IP system command line, run the
following commands:
DEFAULT:!EXP1024-RC2-CBC-MD5
10.
Click Finished.
You must now associate the SSL profile with the virtual server.
Note: Alternatively, to perform the above operation from the BIG-IP system command line, run the
following commands:
bigpipe profile clientssl <name> { ciphers 'DEFAULT:!EXP1024-RC2-CBC-MD5' }
bigpipe save
Supplemental Information
SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles
Bigpipe Utility Reference Guide
SOL13308: The BIG-IP system does not process 192 bit ciphers when configured with cipher strength of HIGH
Was this resource helpful in solving your issue?
Yes - this resource was helpful