Forum Discussion
Kaloyan
Cirrus
CirrusCertain Cipher suites are not shown in ssl server test
Hi, I am running version 15.1.0. I configured client-ssl profile with cipher group as I need to enable TLSv1.3 The cipher group has a rule which enables certain cipher suites only: TLSv1_3:ECDHE_E...
Yes, they are properly assigned. When I change the CIpher rule which is:
TLSv1_3:ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:ECDHE+AES:ECDHE_ECDSA+CHACHA20-POLY1305:ECDHE+CHACHA20-POLY1305:!DHE+AES-GCM:!TLSv1:!TLSv1_1:!ECDHE+AES:@STRENGTH
I see differencies when checking the ciphers but only ECDHE_ECDSA are not visible into the ssllabs.
I even tried with openssl and sslscan tools via linux and didn't saw it as well....
I just found out the reason. The certificate is created as RSA. which means :
RSA: Specifies that the key is based on the RSA public key encryption algorithm.
So no ECDSA will be presented even allowed in the cipher suite....
KaloyanCirrus
CirrusHi Lidev,
If I test www.google.com in the same ssl lab site, I see the ciphers which are missing on mine:
1.2 (suites in server-preferred order)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (
0xc02b
)ECDH x25519 (eq. 3072 bits RSA) FS128TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (
0xcca9
)ECDH x25519 (eq. 3072 bits RSA) FS256PTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (
0xc02c
)ECDH x25519 (eq. 3072 bits RSA) FS256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (
0xc009
) ECDH x25519 (eq. 3072 bits RSA) FS WEAK128TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (
0xc00a
) ECDH x25519 (eq. 3072 bits RSA) FS WEAK256
I tried even DEFAULT ciphers only and still cannot see ECDHE_ECDSA ones in the site.
tmm --clientciphers DEFAULT is clearly shows that they are supported...
First time dealing with version 15 and cipher groups, but wonder what I am missing....
- Lidev
MVP
Did you create a Ciphers Group ( Local Traffic >> Ciphers : Groups) and associate your Ciphers Rules with this group?
