Question
- What does the cipher string keywords mean in front end and back end SSL profiles?
Environment
- Silverline WAF
- Silverline DDoS
- Proxy/Proxies
- SSL Certificate/SSL Frontend Profile/SSL Backend Profile
- SSL Ciphers
Answer
- Sorting keyword
- @STRENGTH: Re-orders the list to put stronger ciphers from the specified list first.
- @STRENGTH: Re-orders the list to put stronger ciphers from the specified list first.
- Protocol keywords
- TLSv1_2: cipher suites available under TLS version 1.2
- TLSv1_1: cipher suites available under TLS version 1.1
- TLSv1: cipher suites available under TLS version 1.0
- SSLv3: cipher suites available under SSL version 3
- General cipher grouping keywords
- ALL: All native cipher suites
- NATIVE: Ciphers implemented natively in the TMM (Traffic Management Microkernel)
- HIGH: 'High' security cipher suites; >128-bit
- MEDIUM: 'Medium' security cipher suites; effectively 128-bit suites
- LOW: 'Low' security cipher suites; <128-bit excluding export grade ciphers
- EXPORT: Export grade ciphers; 40-bit or 56-bit
- Key exchange algorithm keywords (sometimes with Authentication specified)
- ECDHE or ECDHA_RSA: Elliptic Curve Diffie-Hellman Ephemeral (with RSA)
- DHE or EDH: Diffie-Hellman Ephemeral (aka Ephemeral Diffie-Hellman) (with RSA)
- RSA: RSA (Rivest–Shamir–Adleman)
- ADH: Anonymous Diffie-Hellman.
- Bulk encryption algorithm keywords
- AES-GCM: AES in GCM mode; 128-bit or 256-bit
- AES: AES in CBC mode; 128-bit or 256-bit
- CAMELLIA: Camellia in CBC mode; 128-bit or 256-bit
- 3DES: Triple DES in CBC mode; 168-bit (112-bit really)
- DES: Single DES in CBC mode, includes EXPORT ciphers; 40-bit & 56-bit.
- RC4: RC4 stream cipher
- Message Authentication Code (MAC) algorithm keywords
- SHA384: SHA-2 384-bit hash
- SHA256: SHA-2 256-bit hash
- SHA: SHA-1 160-bit hash
- MD5: MD5 128-bit hash
- Combination and exclusion symbols
- Combine keywords using '+' (plus sign)
- '!' (exclamation point) is a hard exclusion. Anything excluded this way cannot be implicitly or explicitly re-enabled. It is disabled, period.
- '-' (minus sign or dash) is a soft exclusion. Anything excluded this way can be explicitly re-enabled later in the configuration string.
- Note: The dash is also used in the names of many cipher suites, such as ECDHE-RSA-AES128-GCM-SHA256 or RC4-SHA. Do not confuse the dashes that are part of the cipher suite names with a soft exclusion, which always precedes, or prefixes, the value being excluded.
Related Content
- SSL Profiles Workflow
- SSL Profile Management
- Components of a Working SSL Certificate
- Q&A: What are the ciphers that are supported in Silverline?
- Q&A: What are the SOC Curated Ciphers that Silverline Uses in SSL Profile?
- Mapping OpenSSL Suite to IANA - https://testssl.sh/openssl-iana.mapping.html
- How To Configure custom - Static SSL Ciphers For Front End And Back End SSL Profiles