Chrome: Your connection is encrypted with obsolete cryptography with 10.2.4HF11 LTM

Question

If you double click on the "lock" icon,  Chrome says:&nbsp;
Your connection to (mysite.com) is encrypted with obsolete cryptography.The connection uses TLS 1.2.The connection is encrypted using AES_128_CBC with SHA1 for message authentication and RSA as the key exchange mechanism.&nbsp;
What part of this is considered obsolete?  Is this an issue with the cert or the ciphers?  &nbsp;
Please note that this site passes SHA2 checks such as "SSLlabs.com" and https://shaaaaaaaaaaaaa.com/.  However, the CSR was generated with Signature Algorithm: sha1WithRSAEncryption.  The certificate issued from CA with     Signature Algorithm: sha256WithRSAEncryption.  I don't think starting from scratch with a SHA2 CSR key matters because the cert was issued with sha256.  &nbsp;
Also, if I terminate the connection on a Windows 2012 server, rather than on LTM, the obsolete message goes away and it shows a different cipher and key exchange mechanism which makes me think it is only cipher issue.  I'm using the following NATIVE ciphers that  pass SSLLAbs tests (score A-) as follows:&nbsp;
!SSLv3:!SSLv2:ALL:!DES-CBC-SHA:!DH:!ADH:!EDH:!EXPORT:!RC4-SHA:!RC4-MD5:@SPEED&nbsp;
I don't think enabling non-NATIVE ciphers is a good idea due to limited available CPU cycles.  Is this something I should just leave alone until we upgrade to 11?&nbsp;

steve_m__153836 · Answer

I have the same message with some of my sites. I am also using a SHA256 cert, but it was generated with a sha256 csr. I am preferring strong cipher suites and ECDHE ciphers. So my message reads "AES_256_CBC with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism." I will research with our security team and see if I can get an answer.

nitass · Answer

can you try to remove sha1 in ciphers (:!SHA1)?
[root@ve11c:Active:In Sync] config  tmm --clientcipher '!SSLv3:!SSLv2:ALL:!DES-CBC-SHA:!DH:!ADH:!EDH:!EXPORT:!RC4-SHA:!RC4-MD5:@SPEED:!SHA1'
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_ECDSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
 3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES     SHA384  ECDHE_ECDSA
 4:   163  DHE-DSS-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM  SHA384  DHE/DSS
 5:   106  DHE-DSS-AES256-SHA256            256  TLS1.2  Native  AES     SHA256  DHE/DSS
 6: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM  SHA384  ECDH_RSA
 7: 49198  ECDH-ECDSA-AES256-GCM-SHA384     256  TLS1.2  Native  AES-GCM  SHA384  ECDH_ECDSA
 8: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES     SHA384  ECDH_RSA
 9: 49190  ECDH-ECDSA-AES256-SHA384         256  TLS1.2  Native  AES     SHA384  ECDH_ECDSA
10:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM  SHA384  RSA
11:    61  AES256-SHA256                    256  TLS1.2  Native  AES     SHA256  RSA
12: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA
13: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_ECDSA
14: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
15: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES     SHA256  ECDHE_ECDSA
16:   162  DHE-DSS-AES128-GCM-SHA256        128  TLS1.2  Native  AES-GCM  SHA256  DHE/DSS
17:    64  DHE-DSS-AES128-SHA256            128  TLS1.2  Native  AES     SHA256  DHE/DSS
18: 49201  ECDH-RSA-AES128-GCM-SHA256       128  TLS1.2  Native  AES-GCM  SHA256  ECDH_RSA
19: 49197  ECDH-ECDSA-AES128-GCM-SHA256     128  TLS1.2  Native  AES-GCM  SHA256  ECDH_ECDSA
20: 49193  ECDH-RSA-AES128-SHA256           128  TLS1.2  Native  AES     SHA256  ECDH_RSA
21: 49189  ECDH-ECDSA-AES128-SHA256         128  TLS1.2  Native  AES     SHA256  ECDH_ECDSA
22:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM  SHA256  RSA
23:    60  AES128-SHA256                    128  TLS1.2  Native  AES     SHA256  RSA

steve_m__153836 · Answer

Check out the thread linked below; specifically the comments at the bottom. This is mostly related to cipher suites, but you also have to support forward secrecy and TLS 1.2&nbsp;
https://devcentral.f5.com/questions/enabling-pfs&nbsp;

Forum Discussion

Chrome: Your connection is encrypted with obsolete cryptography with 10.2.4HF11 LTM

3 Replies

Recent Discussions

(How) can I get two client certificates in one APM session?

Using okta as SSO to login F5 GUI

snmp automatic stop mail send

BIG-IP DNS iRule issue with static variable

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Related Content

Real Cryptography Has Curves: Making The Case For ECC

Lightboard Lessons: Elliptic Curve Cryptography

ESXiArgs Recovery Script, Ascon cryptography- Feb 4th - 10th, 2023 - F5 SIRT - This Week in Security

Supporting Elliptic Curve Cryptography

Securely connecting Kubernetes Microservices with F5 Distributed Cloud