Forum Discussion
Certain Cipher suites are not shown in ssl server test
Hi, I am running version 15.1.0.
I configured client-ssl profile with cipher group as I need to enable TLSv1.3
The cipher group has a rule which enables certain cipher suites only:
TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH
With this I am receiving the following into the Rule Audit tab:
Cipher Suites
- TLS13-AES256-GCM-SHA384/TLS1.3
- TLS13-CHACHA20-POLY1305-SHA256/TLS1.3
- ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2
- ECDHE-RSA-AES256-GCM-SHA384/TLS1.2
- ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2
- ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2
- TLS13-AES128-GCM-SHA256/TLS1.3
- ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
- ECDHE-RSA-AES128-GCM-SHA256/TLS1.2
DH Groups
- DEFAULT
Signature Algorithms
- DEFAULT
The problem is when I check the site into ssl labs , it gives me only these ciphers :
Cipher Suites
# TLS 1.3 (suites in server-preferred order)
TLS_AES_256_GCM_SHA384 (0x1302)ECDH secp384r1 (eq. 7680 bits RSA) FS256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)ECDH secp384r1 (eq. 7680 bits RSA) FS256
TLS_AES_128_GCM_SHA256 (0x1301)ECDH secp384r1 (eq. 7680 bits RSA) FS128
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)ECDH secp384r1 (eq. 7680 bits RSA) FS256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)ECDH secp384r1 (eq. 7680 bits RSA) FS256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)ECDH secp384r1 (eq. 7680 bits RSA) FS128
TLSv1.3 is enabled into the client-ssl profile
no-tlsv1.1
no-tlsv1
I also have serverssl profile attached to the VIP. Cannot find a way to see ECDHE-ECDSA into the ssl labs...
Yes, they are properly assigned. When I change the CIpher rule which is:
TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH
I see differencies when checking the ciphers but only ECDHE_ECDSA are not visible into the ssllabs.
I even tried with openssl and sslscan tools via linux and didn't saw it as well....
I just found out the reason. The certificate is created as RSA. which means :
RSA: Specifies that the key is based on the RSA public key encryption algorithm.
So no ECDSA will be presented even allowed in the cipher suite....
- KaloyanCirrus
Yes, they are properly assigned. When I change the CIpher rule which is:
TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH
I see differencies when checking the ciphers but only ECDHE_ECDSA are not visible into the ssllabs.
I even tried with openssl and sslscan tools via linux and didn't saw it as well....
I just found out the reason. The certificate is created as RSA. which means :
RSA: Specifies that the key is based on the RSA public key encryption algorithm.
So no ECDSA will be presented even allowed in the cipher suite....
Yeah, that makes sense, don't forget to mark your question as solved.
- EvergrimAltocumulus
Thanks a lot... spent the whole day on the same issue. Sometimes it is that easy 😄
Hi Kaloyan,
It looks like ECDHE-ECDSA is not yet implemented on the Qualys SSL Labs test.
REF - https://discussions.qualys.com/thread/19431-tlsv13-and-ecdsa-not-tested
Have you tried with other SSL scan sites?
https://observatory.mozilla.org/ or https://tls.imirhil.fr/
Regards
- KaloyanCirrus
Hi Lidev,
If I test www.google.com in the same ssl lab site, I see the ciphers which are missing on mine:
1.2 (suites in server-preferred order)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (
0xc02b
)ECDH x25519 (eq. 3072 bits RSA) FS128TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (
0xcca9
)ECDH x25519 (eq. 3072 bits RSA) FS256PTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (
0xc02c
)ECDH x25519 (eq. 3072 bits RSA) FS256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (
0xc009
) ECDH x25519 (eq. 3072 bits RSA) FS WEAK128TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (
0xc00a
) ECDH x25519 (eq. 3072 bits RSA) FS WEAK256
I tried even DEFAULT ciphers only and still cannot see ECDHE_ECDSA ones in the site.
tmm --clientciphers DEFAULT is clearly shows that they are supported...
First time dealing with version 15 and cipher groups, but wonder what I am missing....
Did you create a Ciphers Group ( Local Traffic >> Ciphers : Groups) and associate your Ciphers Rules with this group?
- KaloyanCirrus
Yes, they are in place
Group ciphers\ cipher suites are well assigned to the SSL Client profile ? and the SSL profile to the Virtual Server ?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com