For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Martin182's avatar
Martin182
Icon for Cirrus rankCirrus
Sep 12, 2023
Solved

Cipher Suites Supported (12.1.5.3)

Hi, I am trying to adjust the SSL profile of a service to get grade A in SSL Labs.
The machine the virtual server runs on is:
---
Sys::Version
Main Package
Product BIG-IP
Version 12.1.5.3
Build 0.16.5
Edition Engineering Hotfix
Date Tue Mar 9 12:02:22 PST 2021

Hotfix List
ID625156-1
---

The problem is that I can't find the F5 resource where to see the cipher suites supported by this version.
If you look at this url, only 12.1.3 appears:

https://my.f5.com/manage/s/article/K13163#12.0.0

- SSL Labs test:

"This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B."

 

Any help will be welcome

Thank you very much, best regards

 

security

7 Replies

  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Sep 12, 2023

    Hi Martin182,

    No new cipher suites have been added for versions 12.1.4 and 12.1.5.

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-12-1-4.html#asm_rn_new
    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-12-1-5.html#rn_new

    You can view all ciphers with the following command from cli.

    tmm --clientciphers all

    You can use the "!DHE:!DH" string to remove DHE and DH key exchange parameters from the cipher suite. Or you can use only "ECDHE+AES-GCM" cipher suite.

    • Martin182's avatar
      Martin182
      Icon for Cirrus rankCirrus
      Sep 12, 2023

      Hi Enes, first of all thank you for your reply 🙂
      You mean to enter as string in the ciphers field only ECDHE+AES-GCM right ?

      My current string is:
      ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256

      But I don't know why only 6 of them appear in the SSL Labs test and not all 8.

      • Enes_Afsin_Al's avatar
        Enes_Afsin_Al
        Icon for MVP rankMVP
        Sep 12, 2023

        Hi,

        When you enter "ECDHE+AES-GCM", the following cipher suites match:

        ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384

        You cannot view cipher suites containing ECDSA ciphers on ssllabs. Because the signature algorithm of the SSL Certificate is RSA.

        ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256

        K10340213: ECDSA ciphers not being shown at SSLabs test
        https://my.f5.com/manage/s/article/K10340213

  • PSFletchTheTek's avatar
    PSFletchTheTek
    Icon for Cumulonimbus rankCumulonimbus
    Sep 13, 2023

    Just check your ssl config, there is a cyhper config hidden under a Basic/advanced filter in the profile that might not be fully locked down.

    I had something very simular. in v14. and it was more on the ssl config than what was supported.

    • Martin182's avatar
      Martin182
      Icon for Cirrus rankCirrus
      Sep 13, 2023

      You mean the cipher rules/groups?, they are not available on this version, I think the first one to implement them is v13.

      • PSFletchTheTek's avatar
        PSFletchTheTek
        Icon for Cumulonimbus rankCumulonimbus
        Sep 14, 2023

        O, sorry i started my f5 works at late v13 straight into v14 about 2 months later.
        So it looks like its a feature that's appeared in that time!