Forum Discussion
cathy_123
Cirrostratus
Cirrostratus01070312:3: Invalid keyword 'ecdhe-ecdsaaes256- gcm-sha384' in ciphers list for profile
Hi Guys!
Does anyone experience the same issue? We are experiencing SSL/TLS Vulnerabilities per our Security Team we need to apply the certain cipher configuration and it includes this string SHA38...
JG
Cumulonimbus
CumulonimbusYou cannot define a cipher that F5 does not support.
You can define your ciphers as:
ECDHE:DHE:!DES:!SHAwhich gives you:
tmm --clientciphers 'ECDHE:DHE:!DES:!SHA'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
2: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
3: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
4: 159 DHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 EDH/RSA
5: 107 DHE-RSA-AES256-SHA256 256 TLS1.2 Native AES SHA256 EDH/RSA
6: 158 DHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 EDH/RSA
7: 103 DHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 EDH/RSA
or simply:
TLSv1_2+ECDHEwhich gives you:
tmm --clientciphers 'TLSv1_2+ECDHE'
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
3: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
4: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
5: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
6: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
to support TLSv1.2 only (Caveat: There are still a lot of clients that use TLS1.0 out there.)
You can create a test profile and let your Security people validate it.
