Q&A: What Does The Cipher String Keywords Mean In Front End And Back End SSL Profiles?



  • What does the cipher string keywords mean in front end and back end SSL profiles?



  • Silverline WAF
  • Silverline DDoS
  • Proxy/Proxies
  • SSL Certificate/SSL Frontend Profile/SSL Backend Profile
  • SSL Ciphers



  • Sorting keyword
    • @STRENGTH: Re-orders the list to put stronger ciphers from the specified list first.
  • Protocol keywords
    • TLSv1_2: cipher suites available under TLS version 1.2
    • TLSv1_1: cipher suites available under TLS version 1.1
    • TLSv1: cipher suites available under TLS version 1.0
    • SSLv3: cipher suites available under SSL version 3
  • General cipher grouping keywords
    • ALL: All native cipher suites
    • NATIVE: Ciphers implemented natively in the TMM (Traffic Management Microkernel)
    • HIGH: 'High' security cipher suites; >128-bit
    • MEDIUM: 'Medium' security cipher suites; effectively 128-bit suites
    • LOW: 'Low' security cipher suites; <128-bit excluding export grade ciphers
    • EXPORT: Export grade ciphers; 40-bit or 56-bit
  • Key exchange algorithm keywords (sometimes with Authentication specified)
    • ECDHE or ECDHA_RSA: Elliptic Curve Diffie-Hellman Ephemeral (with RSA)
    • DHE or EDH: Diffie-Hellman Ephemeral (aka Ephemeral Diffie-Hellman) (with RSA)
    • RSA: RSA (Rivest–Shamir–Adleman)
    • ADH: Anonymous Diffie-Hellman.
  • Bulk encryption algorithm keywords
    • AES-GCM: AES in GCM mode; 128-bit or 256-bit
    • AES: AES in CBC mode; 128-bit or 256-bit
    • CAMELLIA: Camellia in CBC mode; 128-bit or 256-bit
    • 3DES: Triple DES in CBC mode; 168-bit (112-bit really)
    • DES: Single DES in CBC mode, includes EXPORT ciphers; 40-bit & 56-bit.
    • RC4: RC4 stream cipher
  • Message Authentication Code (MAC) algorithm keywords
    • SHA384: SHA-2 384-bit hash
    • SHA256: SHA-2 256-bit hash
    • SHA: SHA-1 160-bit hash
    • MD5: MD5 128-bit hash

  • Combination and exclusion symbols
    • Combine keywords using '+' (plus sign)
    • '!' (exclamation point) is a hard exclusion. Anything excluded this way cannot be implicitly or explicitly re-enabled. It is disabled, period.
    • '-' (minus sign or dash) is a soft exclusion. Anything excluded this way can be explicitly re-enabled later in the configuration string.
      • Note: The dash is also used in the names of many cipher suites, such as ECDHE-RSA-AES128-GCM-SHA256 or RC4-SHA. Do not confuse the dashes that are part of the cipher suite names with a soft exclusion, which always precedes, or prefixes, the value being excluded.


Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request