Forum Discussion

Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Jun 01, 2015

ECC Ciphers in 11.4.1

I am having some trouble getting ECDHE ciphers to function. I am running 11.4.1 and have tried multiple cipher strings in the SSL profile, but I can't seem to get them to appear when I scan the VIP. I always seem to get the AES-128-SHA and AES-256-SHA

 

Right now in prod I am running this on most of my servers. DEFAULT:!SSLv3:!RC4@STRENGTH

 

I tried adding the cipher suite but that didn't do anything

 

DEFAULT:ECDHE+AES:!SSLv3:!RC4@STRENGTH

 

I also tried doing something a little more complex. However that didn't really change anything either.

 

NATIVE:!MD5:!EXPORT:!3DES:!DES:!DHE:!SSLv3:!SSLv2@STRENGTH

 

The documentation says that ECC ciphers were available starting in 11.4.0. Any help would be appreciated.

 

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Mike,

     

    What about if you run the following from the BIG-IP CLI?

     

    tmm --clientciphers 'DEFAULT:!SSLv3:!RC4:@STRENGH' does this return possible ECDHE ciphers? My test rig is 11.5.1 and I do get ECDHE ciphers - but as you say they are included in 11.4.1.

     

    Nothing else configured in the Client SSL Profile is there?

     

    Hope this helps,

     

    N