Forum Discussion
AltocumulusEnable additional ciphers
NoctilucentHello Lorenze.
Those ciphers should already be included in the Native suite for 11.5.4
REF - https://support.f5.com/csp/article/K13163#11.5.3
Check with this command:
tmm --clientciphers DEFAULTHere you have an example of how to include 'ECDHE_ECDSA' on your SSL profile.
REF - https://support.f5.com/csp/article/K13171#sslcipher
Regards,
Dario.
lorenzeHello ,
Thank you for your response. I will try to update the cipher string on my client ssl profile to this one:
DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE+ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3
and see if that gives me the cipher that we need. I'll update here on how it goes.
Thanks!
- lorenze
So I tried updating our client ssl profile and specified this value on the cipher and did a scan on ssllabs but its not showing the ECDHE-ECDSA ciphers. Am I missing something?
DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3
- Dario_Garrido
Hello Lorenze.
Put this in your CLI:
tmm --clientciphers DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3If this output shows 'ECDHE-ECDSA' ciphers, then those should be included during TLS handshake.
To validate this, take a traffic capture during those tests and check the TLS client hello to see if those ciphers are included during negotiation.
Regards,
Dario.
- Dario_Garrido
Hello Lorenze.
There are some bugs regarding this kind of cipher suites.
https://cdn.f5.com/product/bugtracker/ID510837.html
https://cdn.f5.com/product/bugtracker/ID435055.html
https://cdn.f5.com/product/bugtracker/ID503620.html
https://cdn.f5.com/product/bugtracker/ID529400.html
I guess you could be matching some of them.
Regards,
Dario.
