Forum Discussion

Nimbostratus

Sep 12, 2023

Cipher Suites Supported (12.1.5.3)

Hi, I am trying to adjust the SSL profile of a service to get grade A in SSL Labs. The machine the virtual server runs on is: --- Sys::Version Main Package Product BIG-IP Version 12.1.5.3 Buil...

Security

Enes_Afsin_Al
Sep 12, 2023
Hi Martin182,

No new cipher suites have been added for versions 12.1.4 and 12.1.5.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-12-1-4.html#asm_rn_new
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-12-1-5.html#rn_new

You can view all ciphers with the following command from cli.

tmm --clientciphers all

You can use the "!DHE:!DH" string to remove DHE and DH key exchange parameters from the cipher suite. Or you can use only "ECDHE+AES-GCM" cipher suite.

Enes_Afsin_Al

MVP

Sep 12, 2023

Hi Martin182,

No new cipher suites have been added for versions 12.1.4 and 12.1.5.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-12-1-4.html#asm_rn_new
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-12-1-5.html#rn_new

You can view all ciphers with the following command from cli.

tmm --clientciphers all

You can use the "!DHE:!DH" string to remove DHE and DH key exchange parameters from the cipher suite. Or you can use only "ECDHE+AES-GCM" cipher suite.

Martin182
Nimbostratus
Sep 12, 2023
Hi Enes, first of all thank you for your reply 🙂
You mean to enter as string in the ciphers field only ECDHE+AES-GCM right ?
My current string is:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256
But I don't know why only 6 of them appear in the SSL Labs test and not all 8.
- Enes_Afsin_Al
  MVP
  Sep 12, 2023
  Hi,
  
  When you enter "ECDHE+AES-GCM", the following cipher suites match:
  
  ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384
  
  You cannot view cipher suites containing ECDSA ciphers on ssllabs. Because the signature algorithm of the SSL Certificate is RSA.
  
  ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
  
  K10340213: ECDSA ciphers not being shown at SSLabs test
  https://my.f5.com/manage/s/article/K10340213
  - Martin182
    Nimbostratus
    Sep 12, 2023
    Okay, thanks again.
    I need to think about which configuration to apply, the ECDHE+AES-GCM option leaving only 2 cipher suites might be too restrictive as it is a service accessed by a large number of clients.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Cipher Suites Supported (12.1.5.3)

Recent Discussions

Gy the ft hi go to ki CE ki CE ki hi if co ltd Tel no hi hi co

SF GS see the attached document for your email and

De do please let me know when the ft ye so I

Spiritual Salt Review - Does it Work or a Scam?

Tupi Tea Reviews 2024: Real or Scam? Must Read

Related Content

Support and Help for DevCentral and Offline Contact

Cipher Suite Practices and Pitfalls

Cipher suite mismatch advertisement/warning

APM Configuration to Support Duo MFA using iRule

Securing Applications using mTLS Supported by F5 Distributed Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS