Q&A: What Does The Cipher String Keywords Mean In Front End And Back End SSL Profiles? – F5 Silverline Knowledge Base

Question

What does the cipher string keywords mean in front end and back end SSL profiles?

Sorting keyword
- @STRENGTH: Re-orders the list to put stronger ciphers from the specified list first.
Protocol keywords
- TLSv1_2: cipher suites available under TLS version 1.2
- TLSv1_1: cipher suites available under TLS version 1.1
- TLSv1: cipher suites available under TLS version 1.0
- SSLv3: cipher suites available under SSL version 3

Key exchange algorithm keywords (sometimes with Authentication specified)
- ECDHE or ECDHA_RSA: Elliptic Curve Diffie-Hellman Ephemeral (with RSA)
- DHE or EDH: Diffie-Hellman Ephemeral (aka Ephemeral Diffie-Hellman) (with RSA)
- RSA: RSA (Rivest–Shamir–Adleman)
- ADH: Anonymous Diffie-Hellman.

Bulk encryption algorithm keywords
- AES-GCM: AES in GCM mode; 128-bit or 256-bit
- AES: AES in CBC mode; 128-bit or 256-bit
- CAMELLIA: Camellia in CBC mode; 128-bit or 256-bit
- 3DES: Triple DES in CBC mode; 168-bit (112-bit really)
- DES: Single DES in CBC mode, includes EXPORT ciphers; 40-bit & 56-bit.
- RC4: RC4 stream cipher
Message Authentication Code (MAC) algorithm keywords
- SHA384: SHA-2 384-bit hash
- SHA256: SHA-2 256-bit hash
- SHA: SHA-1 160-bit hash
- MD5: MD5 128-bit hash
Combination and exclusion symbols
- Combine keywords using '+' (plus sign)
- '!' (exclamation point) is a hard exclusion. Anything excluded this way cannot be implicitly or explicitly re-enabled. It is disabled, period.
- '-' (minus sign or dash) is a soft exclusion. Anything excluded this way can be explicitly re-enabled later in the configuration string.
  - Note: The dash is also used in the names of many cipher suites, such as ECDHE-RSA-AES128-GCM-SHA256 or RC4-SHA. Do not confuse the dashes that are part of the cipher suite names with a soft exclusion, which always precedes, or prefixes, the value being excluded.