Forum Discussion

cathy_123's avatar
cathy_123
Icon for Cirrostratus rankCirrostratus
Feb 21, 2017

01070312:3: Invalid keyword 'ecdhe-ecdsaaes256- gcm-sha384' in ciphers list for profile

Hi Guys!

Does anyone experience the same issue? We are experiencing SSL/TLS Vulnerabilities per our Security Team we need to apply the certain cipher configuration and it includes this string SHA384:ECDHE-ECDSAAES256- GCM-SHA384 however our F5 doesn't accept it.

01070312:3: Invalid keyword 'ecdhe-ecdsaaes256- 
gcm-sha384' in ciphers list for profile /Common/xxxxxx

Thank you!

  • I think you missed a dash between ECDSA and AES256.

     

    Try: SHA384:ECDHE-ECDSA-AES256-GCM-SHA384

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    On v11.6.1, it seems that leaves the following strong ciphers only:

    DHE-RSA-AES128-GCM-SHA256
    DHE-RSA-AES128-SHA
    DHE-RSA-AES128-SHA256
    DHE-RSA-AES256-SHA
    DHE-RSA-AES256-SHA256
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-RSA-AES128-SHA256
    ECDHE-RSA-AES256-GCM-SHA384
    ECDHE-RSA-AES256-SHA384
    

    .

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    You cannot define a cipher that F5 does not support.

    You can define your ciphers as:

    ECDHE:DHE:!DES:!SHA

    which gives you:

     tmm --clientciphers 'ECDHE:DHE:!DES:!SHA'
           ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
     0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA 
     1: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA 
     2: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA 
     3: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA 
     4:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  EDH/RSA   
     5:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  EDH/RSA   
     6:   158  DHE-RSA-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  EDH/RSA   
     7:   103  DHE-RSA-AES128-SHA256            128  TLS1.2  Native  AES     SHA256  EDH/RSA   
    

    or simply:

    TLSv1_2+ECDHE

    which gives you:

     tmm --clientciphers 'TLSv1_2+ECDHE'
           ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
     0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA 
     1: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA 
     2: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA 
     3: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA 
     4: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA 
     5: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA 
     6: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA 
    

    to support TLSv1.2 only (Caveat: There are still a lot of clients that use TLS1.0 out there.)

    You can create a test profile and let your Security people validate it.