Forum Discussion
pjcampbell_7243
Cirrus
CirrusChrome: Your connection is encrypted with obsolete cryptography with 10.2.4HF11 LTM
If you double click on the "lock" icon, Chrome says:
Your connection to (mysite.com) is encrypted with obsolete cryptography.The connection uses TLS 1.2.The connection is encrypted using AES_128_CBC with SHA1 for message authentication and RSA as the key exchange mechanism.
What part of this is considered obsolete? Is this an issue with the cert or the ciphers?
Please note that this site passes SHA2 checks such as "SSLlabs.com" and https://shaaaaaaaaaaaaa.com/. However, the CSR was generated with Signature Algorithm: sha1WithRSAEncryption. The certificate issued from CA with Signature Algorithm: sha256WithRSAEncryption. I don't think starting from scratch with a SHA2 CSR key matters because the cert was issued with sha256.
Also, if I terminate the connection on a Windows 2012 server, rather than on LTM, the obsolete message goes away and it shows a different cipher and key exchange mechanism which makes me think it is only cipher issue. I'm using the following NATIVE ciphers that pass SSLLAbs tests (score A-) as follows:
!SSLv3:!SSLv2:ALL:!DES-CBC-SHA:!DH:!ADH:!EDH:!EXPORT:!RC4-SHA:!RC4-MD5:@SPEED
I don't think enabling non-NATIVE ciphers is a good idea due to limited available CPU cycles. Is this something I should just leave alone until we upgrade to 11?
Steve_M__153836Nimbostratus
I have the same message with some of my sites. I am also using a SHA256 cert, but it was generated with a sha256 csr. I am preferring strong cipher suites and ECDHE ciphers. So my message reads "AES_256_CBC with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism." I will research with our security team and see if I can get an answer.
nitassEmployee
can you try to remove sha1 in ciphers (:!SHA1)?
[root@ve11c:Active:In Sync] config tmm --clientcipher '!SSLv3:!SSLv2:ALL:!DES-CBC-SHA:!DH:!ADH:!EDH:!EXPORT:!RC4-SHA:!RC4-MD5:@SPEED:!SHA1' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_ECDSA 2: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 3: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_ECDSA 4: 163 DHE-DSS-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 DHE/DSS 5: 106 DHE-DSS-AES256-SHA256 256 TLS1.2 Native AES SHA256 DHE/DSS 6: 49202 ECDH-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_RSA 7: 49198 ECDH-ECDSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDH_ECDSA 8: 49194 ECDH-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDH_RSA 9: 49190 ECDH-ECDSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDH_ECDSA 10: 157 AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 RSA 11: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 12: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 13: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_ECDSA 14: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 15: 49187 ECDHE-ECDSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_ECDSA 16: 162 DHE-DSS-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 DHE/DSS 17: 64 DHE-DSS-AES128-SHA256 128 TLS1.2 Native AES SHA256 DHE/DSS 18: 49201 ECDH-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_RSA 19: 49197 ECDH-ECDSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDH_ECDSA 20: 49193 ECDH-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDH_RSA 21: 49189 ECDH-ECDSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDH_ECDSA 22: 156 AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 RSA 23: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA- Steve_M__153836
Check out the thread linked below; specifically the comments at the bottom. This is mostly related to cipher suites, but you also have to support forward secrecy and TLS 1.2
https://devcentral.f5.com/questions/enabling-pfs