ECC Ciphers in 11.4.1

Question

I am having some trouble getting ECDHE ciphers to function.  I am running 11.4.1 and have tried multiple cipher strings in the SSL profile, but I can't seem to get them to appear when I scan the VIP.  I always seem to get the AES-128-SHA and AES-256-SHA&nbsp;
Right now in prod I am running this on most of my servers. 
DEFAULT:!SSLv3:!RC4@STRENGTH&nbsp;
I tried adding the cipher suite but that didn't do anything&nbsp;
DEFAULT:ECDHE+AES:!SSLv3:!RC4@STRENGTH&nbsp;
I also tried doing something a little more complex.  However that didn't really change anything either.  &nbsp;
NATIVE:!MD5:!EXPORT:!3DES:!DES:!DHE:!SSLv3:!SSLv2@STRENGTH&nbsp;
The documentation says that ECC ciphers were available starting in 11.4.0.  Any help would be appreciated.&nbsp;

nathe · Answer

Mike,&nbsp;
What about if you run the following from the BIG-IP CLI?&nbsp;
tmm --clientciphers 'DEFAULT:!SSLv3:!RC4:@STRENGH' does this return possible ECDHE ciphers? My test rig is 11.5.1 and I do get ECDHE ciphers - but as you say they are included in 11.4.1.&nbsp;
Nothing else configured in the Client SSL Profile is there?&nbsp;
Hope this helps,&nbsp;
N&nbsp;

Forum Discussion

ECC Ciphers in 11.4.1

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Building an OpenSSL Certificate Authority - Creating ECC Certificates

Cipher Suite Practices and Pitfalls

Cipher Suites Supported (12.1.5.3)

Real Cryptography Has Curves: Making The Case For ECC

LTM Cipher rule

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS