Forum Discussion
AltocumulusEnable additional ciphers
NoctilucentHello Lorenze.
Those ciphers should already be included in the Native suite for 11.5.4
REF - https://support.f5.com/csp/article/K13163#11.5.3
Check with this command:
tmm --clientciphers DEFAULTHere you have an example of how to include 'ECDHE_ECDSA' on your SSL profile.
REF - https://support.f5.com/csp/article/K13171#sslcipher
Regards,
Dario.
AltocumulusHello ,
Thank you for your response. I will try to update the cipher string on my client ssl profile to this one:
DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE+ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3
and see if that gives me the cipher that we need. I'll update here on how it goes.
Thanks!
- lorenze
So I tried updating our client ssl profile and specified this value on the cipher and did a scan on ssllabs but its not showing the ECDHE-ECDSA ciphers. Am I missing something?
DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3
- Dario_Garrido
Hello Lorenze.
Put this in your CLI:
tmm --clientciphers DEFAULT:!SSLv2:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4:ECDHE_ECDSA:ECDHE+AES-GCM:!MD5:!SSLv3If this output shows 'ECDHE-ECDSA' ciphers, then those should be included during TLS handshake.
To validate this, take a traffic capture during those tests and check the TLS client hello to see if those ciphers are included during negotiation.
Regards,
Dario.
- Dario_Garrido
Hello Lorenze.
There are some bugs regarding this kind of cipher suites.
https://cdn.f5.com/product/bugtracker/ID510837.html
https://cdn.f5.com/product/bugtracker/ID435055.html
https://cdn.f5.com/product/bugtracker/ID503620.html
https://cdn.f5.com/product/bugtracker/ID529400.html
I guess you could be matching some of them.
Regards,
Dario.
- lorenze
Hi ,
Thank you for your response. It could be a bug as mentioned, I hope there is another workaround to enable any of the TLS_ECDHE_ECDSA** ciphers as this is also one of your clients cipher requirement. Appreciate your response.
Thanks,
- Dario_Garrido
Hello Lorenze.
To confirm you are facing a bug, you can configure your client SSL profile to use only 'ECDHE_ECDSA' ciphers.
# tmm --clientciphers ECDHE_ECDSA ID SUITE BITS PROT CIPHER MAC KEYX 0: 49195 ECDHE-ECDSA-AES128-GCM-SHA256 128 TLS1.2 AES-GCM SHA256 ECDHE_ECDSA 1: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1 AES SHA ECDHE_ECDSA 2: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1.1 AES SHA ECDHE_ECDSA 3: 49161 ECDHE-ECDSA-AES128-SHA 128 TLS1.2 AES SHA ECDHE_ECDSA 4: 49187 ECDHE-ECDSA-AES128-SHA256 128 TLS1.2 AES SHA256 ECDHE_ECDSA 5: 49196 ECDHE-ECDSA-AES256-GCM-SHA384 256 TLS1.2 AES-GCM SHA384 ECDHE_ECDSA 6: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1 AES SHA ECDHE_ECDSA 7: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.1 AES SHA ECDHE_ECDSA 8: 49162 ECDHE-ECDSA-AES256-SHA 256 TLS1.2 AES SHA ECDHE_ECDSA 9: 49188 ECDHE-ECDSA-AES256-SHA384 256 TLS1.2 AES SHA384 ECDHE_ECDSA 10: 52393 ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 256 TLS1.2 CHACHA20-POLY1305 NULL ECDHE_ECDSA 11: 49160 ECDHE-ECDSA-DES-CBC3-SHA 168 TLS1 DES SHA ECDHE_ECDSA 12: 49160 ECDHE-ECDSA-DES-CBC3-SHA 168 TLS1.1 DES SHA ECDHE_ECDSA 13: 49160 ECDHE-ECDSA-DES-CBC3-SHA 168 TLS1.2 DES SHA ECDHE_ECDSATo do so, just replace 'DEFAULT' by 'ECDHE_ECDSA' in Ciphers section and try again.
If you get an error during this connection it's because you facing some bug.
Some extra messages could be displayed in /var/log/ltm.
Anyway, have you checked that your cert allows you for using 'ecdhe-ecdsa'?
"When configuring an SSL profile, if an ecdhe-ecdsa cipher is selected in the 'ciphers' field, make sure ecdhe-ecdsa key/cert is also configured."
REF - https://cdn.f5.com/product/bugtracker/ID529400.html
Regards,
Dario.
