Forum Discussion

Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
May 16, 2023

CBC ciphers in relation to RFC7366 Encrypt-then-MAC

Good morning, there is a recommendation from German federal security office to still allow CBC-mode ciphers as long as TLS extention "Encrypt-then-MAC" (RFC7366) is in use. But I can't find any info...
cbc
cipher
security
  • MegaZone's avatar
    MegaZone
    May 17, 2023

    To my knowledge BIG-IP does not support/use the 'Encrypt-then-MAC' RFC7366 TLS extension.  In fact, I can't find any mention of this RFC in our internal systems, so it is probably safe to say it is not supported.  I think that, in general, the industry moved to AEAD ciphers instead.

    As for AES-GCM - while it might be possible to configure a modern client NOT to use it, that'd very much be the exception and not the rule.  Any browser old enough to lack AES-GCM support would be old enough to have many other issues (and probably wouldn't support TLSv1.2 anyway), so you're better off not allowing those to connect in the first place.

    Especially has TLSv1.3 only has five supported cipher suites - and two of those are AES-GCM:

    • TLS_AES_256_GCM_SHA384
    • TLS_AES_128_GCM_SHA256
    • TLS_AES_128_CCM_8_SHA256
    • TLS_AES_128_CCM_SHA256
    • TLS_CHACHA20_POLY1305_SHA256

    So AES-GCM support is basic table stakes for TLS these days.

Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
May 19, 2023

Thanks MegaZone 🙏👍

This is really a clear and useful answer, exactly what I'm was looking for!!!.

And as CCM is not supported from F5 (we are running v15.1.8), the following cipher-string should be good to go for:

TLSv1_3+AES-GCM:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:DHE+AES-GCM:DHE_DSS+AES-GCM

Or would you recommend to keep TLS1.3 disabled or at least move it to the end of the cipher-string?

Thank you!

Regards Stefan 🙂

  • MegaZone's avatar
    MegaZone
    Icon for SIRT rankSIRT
    May 19, 2023

    Note that ECDSA & DSS will only work if your CERT supports them.  If you configure the ciphers, but the CERT doesn't allow it, they simply won't be offered/supported.  See https://my.f5.com/manage/s/article/K10340213 and https://my.f5.com/manage/s/article/K24121074 

    There shouldn't be a problem with TLSv1.3 first - personally I think that's a good idea as any client that supports TLSv1.3 will use it, and only those that can't will fall back to TLSv1.2.  You may want to use !TLSv1:!TLSv1_1 - I'd also recommend disabling them on the Options for the VIP, and make sure TLSv1.3 is *enabled* (it is disabled by default): https://my.f5.com/manage/s/article/K33000012

    Some scanners may ding you for DHE as it defaults to a 1024-bit key (while the key is rotated periodically scanners can't tell that).  We added support for larger DHE keys, but not until 16.1.3 and 17.0.0: https://my.f5.com/manage/s/article/K79342815