Cipher string mismatch ??

Question

Hi,
I configured SSL cipher string, to support 6 different ciphers:
config  tmm --clientciphers TLSv1_2+ECDH-RSA-AES256-GCM-SHA384:TLSv1_2+ECDH-RSA-AES256-SHA384:TLSv1_2+ECDH-RSA-AES256-SHA:TLSv1_2+DHE-RSA-AES256-SHA256:TLSv1_2+DHE-RSA-AES256-SHA:TLSv1_2+DHE-RSA-AES256-GCM-SHA384
   ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX

0: 49202  ECDH-RSA-AES256-GCM-SHA384       256  TLS1.2  Native  AES-GCM   SHA384  ECDH_RSA
 1: 49194  ECDH-RSA-AES256-SHA384           256  TLS1.2  Native  AES       SHA384  ECDH_RSA
 2: 49167  ECDH-RSA-AES256-SHA              256  TLS1.2  Native  AES       SHA     ECDH_RSA
 3:   107  DHE-RSA-AES256-SHA256            256  TLS1.2  Native  AES       SHA256  EDH/RSA 
 4:    57  DHE-RSA-AES256-SHA               256  TLS1.2  Native  AES       SHA     EDH/RSA 
 5:   159  DHE-RSA-AES256-GCM-SHA384        256  TLS1.2  Native  AES-GCM   SHA384  EDH/RSA

I used that string in ClientSSL profile, but when I tested my page with SSLlabs, only ciphers 3,4,5 are supported.
 Any idea where is the problem??
Best regards,
Spella

g-ram · Answer

Can you try this &amp; check ?&nbsp;
https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html&nbsp;

g-ram_31429 · Answer

Can you try this &amp; check ?&nbsp;
https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html&nbsp;

chris_grant · Answer

Bear in mind that the clientssl profile is only half of the equation.  Your client must also support the requested ciphers.  If you take a packet capture, your client will send a client_hello informing the remote system (the BigIP in this instance) which ciphers and SSL versions (or TLS versions, more likely) it supports.  The ciphers will be listed in order of preference.  
&nbsp;
The Server will then select a cipher from the list offered and proceed.  If your client says it only supports a couple of the ciphers you've configured the BigIP to support, then it will never select the others.  By the same token, if if offers the client's preferred cipher, it may never offer any of the others.&nbsp;
As such it is perfectly normal for the BigIP not to use all the selected ciphers.  Now if you have a client that supports some of our chosen ciphers and we are refusing to initiate a connection due to unsupported ciphers, that's a different problem.  
&nbsp;
In either case a packet capture should help you get to the bottom of things.&nbsp;

mohanad · Answer

Please read below articles&nbsp;
packet tracing with the ssldump utility&nbsp;
Troubleshooting SSL/TLS handshake failures&nbsp;

mohanad · Answer

tcpdump -lnni [client side vlan] -vvvXs0 -w [file.pcap]&nbsp;

Forum Discussion

Cipher string mismatch ??

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Cipher suite mismatch advertisement/warning

Display a warning on client browser when cipher suite mismatch

Cipher Suites Supported (12.1.5.3)

issue with irule redirecting with # string

Lightboard Lessons: What Are AEAD Ciphers?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS