Hi, I am running version 15.1.0.I configured client-ssl profile with cipher group as I need to enable TLSv1.3The cipher group has a rule which enables certain cipher suites only:TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTHWith this I am receiving the following into the Rule Audit tab:Cipher SuitesTLS13-AES256-GCM-SHA384/TLS1.3TLS13-CHACHA20-POLY1305-SHA256/TLS1.3ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2ECDHE-RSA-AES256-GCM-SHA384/TLS1.2ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2TLS13-AES128-GCM-SHA256/TLS1.3ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2ECDHE-RSA-AES128-GCM-SHA256/TLS1.2DH GroupsDEFAULTSignature AlgorithmsDEFAULTThe problem is when I check the site into ssl labs , it gives me only these ciphers :Cipher Suites# TLS 1.3 (suites in server-preferred order)TLS_AES_256_GCM_SHA384 (0x1302)ECDH secp384r1 (eq. 7680 bits RSA) FS256TLS_CHACHA20_POLY1305_SHA256 (0x1303)ECDH secp384r1 (eq. 7680 bits RSA) FS256TLS_AES_128_GCM_SHA256 (0x1301)ECDH secp384r1 (eq. 7680 bits RSA) FS128# TLS 1.2 (suites in server-preferred order)TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)ECDH secp384r1 (eq. 7680 bits RSA) FS256TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)ECDH secp384r1 (eq. 7680 bits RSA) FS256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)ECDH secp384r1 (eq. 7680 bits RSA) FS128 TLSv1.3 is enabled into the client-ssl profileno-tlsv1.1 no-tlsv1I also have serverssl profile attached to the VIP. Cannot find a way to see ECDHE-ECDSA into the ssl labs...

Yes, they are properly assigned. When I change the CIpher rule which is:TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH I see differencies when checking the ciphers but only ECDHE_ECDSA are not visible into the ssllabs. I even tried with openssl and sslscan tools via linux and didn't saw it as well....I just found out the reason. The certificate is created as RSA. which means :RSA: Specifies that the key is based on the RSA public key encryption algorithm. So no ECDSA will be presented even allowed in the cipher suite....

Forum Discussion

Kaloyan

Cirrus

Mar 17, 2020

Certain Cipher suites are not shown in ssl server test

Hi, I am running version 15.1.0.

I configured client-ssl profile with cipher group as I need to enable TLSv1.3

The cipher group has a rule which enables certain cipher suites only:

TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH

With this I am receiving the following into the Rule Audit tab:

Cipher Suites

TLS13-AES256-GCM-SHA384/TLS1.3
TLS13-CHACHA20-POLY1305-SHA256/TLS1.3
ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2
ECDHE-RSA-AES256-GCM-SHA384/TLS1.2
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2
ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2
TLS13-AES128-GCM-SHA256/TLS1.3
ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
ECDHE-RSA-AES128-GCM-SHA256/TLS1.2

DH Groups

DEFAULT

Signature Algorithms

DEFAULT

The problem is when I check the site into ssl labs , it gives me only these ciphers :

Cipher Suites

# TLS 1.3 (suites in server-preferred order)

TLS_AES_256_GCM_SHA384 (0x1302)ECDH secp384r1 (eq. 7680 bits RSA) FS256

TLS_CHACHA20_POLY1305_SHA256 (0x1303)ECDH secp384r1 (eq. 7680 bits RSA) FS256

TLS_AES_128_GCM_SHA256 (0x1301)ECDH secp384r1 (eq. 7680 bits RSA) FS128

# TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)ECDH secp384r1 (eq. 7680 bits RSA) FS256

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)ECDH secp384r1 (eq. 7680 bits RSA) FS256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)ECDH secp384r1 (eq. 7680 bits RSA) FS128

TLSv1.3 is enabled into the client-ssl profile

no-tlsv1.1

no-tlsv1

I also have serverssl profile attached to the VIP. Cannot find a way to see ECDHE-ECDSA into the ssl labs...

Kaloyan
Mar 17, 2020
Yes, they are properly assigned. When I change the CIpher rule which is:
TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH

I see differencies when checking the ciphers but only ECDHE_ECDSA are not visible into the ssllabs.
I even tried with openssl and sslscan tools via linux and didn't saw it as well....
I just found out the reason. The certificate is created as RSA. which means :
RSA: Specifies that the key is based on the RSA public key encryption algorithm.
So no ECDSA will be presented even allowed in the cipher suite....

Kaloyan
Cirrus
Mar 17, 2020
Yes, they are properly assigned. When I change the CIpher rule which is:
TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH

I see differencies when checking the ciphers but only ECDHE_ECDSA are not visible into the ssllabs.
I even tried with openssl and sslscan tools via linux and didn't saw it as well....
I just found out the reason. The certificate is created as RSA. which means :
RSA: Specifies that the key is based on the RSA public key encryption algorithm.
So no ECDSA will be presented even allowed in the cipher suite....
- Lidev
  MVP
  Mar 18, 2020
  Yeah, that makes sense, don't forget to mark your question as solved.
- Evergrim
  Altocumulus
  Dec 12, 2023
  Thanks a lot... spent the whole day on the same issue. Sometimes it is that easy 😄
Lidev
MVP
Mar 17, 2020
Hi Kaloyan,

It looks like ECDHE-ECDSA is not yet implemented on the Qualys SSL Labs test.
REF - https://discussions.qualys.com/thread/19431-tlsv13-and-ecdsa-not-tested

Have you tried with other SSL scan sites?
https://observatory.mozilla.org/ or https://tls.imirhil.fr/

Regards
Kaloyan
Cirrus
Mar 17, 2020
Hi Lidev,
If I test www.google.com in the same ssl lab site, I see the ciphers which are missing on mine:
1.2 (suites in server-preferred order)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (
0xc02b
)ECDH x25519 (eq. 3072 bits RSA) FS128TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (
0xcca9
)ECDH x25519 (eq. 3072 bits RSA) FS256PTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (
0xc02c
)ECDH x25519 (eq. 3072 bits RSA) FS256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (
0xc009
) ECDH x25519 (eq. 3072 bits RSA) FS WEAK128TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (
0xc00a
) ECDH x25519 (eq. 3072 bits RSA) FS WEAK256

I tried even DEFAULT ciphers only and still cannot see ECDHE_ECDSA ones in the site.
tmm --clientciphers DEFAULT is clearly shows that they are supported...
First time dealing with version 15 and cipher groups, but wonder what I am missing....
- Lidev
  MVP
  Mar 17, 2020
  Did you create a Ciphers Group ( Local Traffic >> Ciphers : Groups) and associate your Ciphers Rules with this group?
Kaloyan
Cirrus
Mar 17, 2020
Yes, they are in place
- Lidev
  MVP
  Mar 17, 2020
  Group ciphers\ cipher suites are well assigned to the SSL Client profile ? and the SSL profile to the Virtual Server ?