Forum Discussion

HetmanG's avatar
Icon for Nimbostratus rankNimbostratus
Jan 10, 2024

Enabling ECDHE-ECDSA Ciphers TMOS 15.1.10.x


To meet security requirements, I am attempting to enable TLS 1.3 as well as turn off insecure ciphers including CBC Ciphers and all other insecure Ciphers.  I built a Cipher Group which includes f5-secure as 'Allow', f5-secure in the 'Allowed List' and then built an 'Exclude' that includes a rule which contains the cipher string:


This seems to work in that it restricts all bad ciphers which I do not want available.  When I look at the Group Audit, I see the following enabled:

Cipher Suites


The issue I am having is when I run an NMAP scan or hit the VIP with SSL Labs, I only get 6 Ciphers which do not include the ECDHE-ECDSA ciphers which should be TLS 1.2 Ciphers.  Under the client ssl profile, I removed the disable TLS 1.3 option, so we should be good there.  Is there anything else that specifically needs to be enabled to allow the BigIP device to support ECDHE-ECDSA ciphers?  Running 15.1.10.x series.    

Anyone have any ideas on this?

5 Replies

  • Your NMAP scan will only show ECDSA ciphers if you have an ECDSA SSL certificate terminated on the VIP. I suspect that you are using an RSA SSL certificate, which is why you will only see RSA based ciphers.

    • whisperer's avatar
      Icon for MVP rankMVP

      I would markMichael_Saleemreply as the solution here.

      ECDSA ciphers require that the server has an ECC certificate. It is likely that you have only a RSA certificate though (which is the common case), which means that ECDSA ciphers will not be supported even if they are configured.

    • whisperer's avatar
      Icon for MVP rankMVP

      I would start a separate thread, so that is more visibility and separation of issues/solutions.