Forum Discussion
AltocumulusEnable additional ciphers
Hi Folks,
I'm fairly new to F5 and was wondering if we can add additional ciphers to through our ssl profiles. Currently we have Big-IP 11.5.4 and for client and server ssl profile we have this set for the ciphers:DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:!MD5:!SSLv3 . I went to SSLlabs and try to scan our website and it gives me this ciphers:
# TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK256TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK256TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK128TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK128TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK112
# TLS 1.1 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK256TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK112
# TLS 1.0 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK256TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK112TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK128TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK112
I was hoping to find a way if possible to add this newer ciphers through the SSL profile.
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH x25519 (eq. 3072 bits RSA) FS256TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) ECDH x25519 (eq. 3072 bits RSA) FS256TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (0xc0af) ECDH x25519 (eq. 3072 bits RSA) FS256TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xc0ad) ECDH x25519 (eq. 3072 bits RSA) FS256TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (0xc05d) ECDH x25519 (eq. 3072 bits RSA) FS256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) ECDH x25519 (eq. 3072 bits RSA) FS128TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (0xc0ae) ECDH x25519 (eq. 3072 bits RSA) FS128TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xc0ac) ECDH x25519 (eq. 3072 bits RSA) FS128TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (0xc05c) ECDH x25519 (eq. 3072 bits RSA) FS128
Is this something that can be done through F5? I hope someone can share their expertise.
Best,
Dario_GarridoNoctilucent
Hello Lorenze.
Those ciphers should already be included in the Native suite for 11.5.4
REF - https://support.f5.com/csp/article/K13163#11.5.3
Check with this command:
tmm --clientciphers DEFAULTHere you have an example of how to include 'ECDHE_ECDSA' on your SSL profile.
REF - https://support.f5.com/csp/article/K13171#sslcipher
Regards,
Dario.
lorenzeHello ,
Thank you for your response. I will try to update the cipher string on my client ssl profile to this one:
DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE+ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3
and see if that gives me the cipher that we need. I'll update here on how it goes.
Thanks!
- lorenze
So I tried updating our client ssl profile and specified this value on the cipher and did a scan on ssllabs but its not showing the ECDHE-ECDSA ciphers. Am I missing something?
DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3