For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

HetmanG's avatar
HetmanG
Icon for Nimbostratus rankNimbostratus
Jan 10, 2024

Enabling ECDHE-ECDSA Ciphers TMOS 15.1.10.x

Hello,

To meet security requirements, I am attempting to enable TLS 1.3 as well as turn off insecure ciphers including CBC Ciphers and all other insecure Ciphers.  I built a Cipher Group which includes f5-secure as 'Allow', f5-secure in the 'Allowed List' and then built an 'Exclude' that includes a rule which contains the cipher string:

AES:CAMELLIA:DES:RC4:AES256-GCM-SHA384:AES128-GCM-SHA256

This seems to work in that it restricts all bad ciphers which I do not want available.  When I look at the Group Audit, I see the following enabled:

Cipher Suites

ECDHE-RSA-AES256-GCM-SHA384/TLS1.2
ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2
ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2
TLS13-AES256-GCM-SHA384/TLS1.3
TLS13-CHACHA20-POLY1305-SHA256/TLS1.3
ECDHE-RSA-AES128-GCM-SHA256/TLS1.2
ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
TLS13-AES128-GCM-SHA256/TLS1.3

The issue I am having is when I run an NMAP scan or hit the VIP with SSL Labs, I only get 6 Ciphers which do not include the ECDHE-ECDSA ciphers which should be TLS 1.2 Ciphers.  Under the client ssl profile, I removed the disable TLS 1.3 option, so we should be good there.  Is there anything else that specifically needs to be enabled to allow the BigIP device to support ECDHE-ECDSA ciphers?  Running 15.1.10.x series.    

Anyone have any ideas on this?

application delivery

5 Replies

  • Michael_Saleem's avatar
    Michael_Saleem
    Icon for MVP rankMVP
    Jan 10, 2024

    Your NMAP scan will only show ECDSA ciphers if you have an ECDSA SSL certificate terminated on the VIP. I suspect that you are using an RSA SSL certificate, which is why you will only see RSA based ciphers.

    • whisperer's avatar
      whisperer
      Icon for MVP rankMVP
      Feb 08, 2024

      I would markMichael_Saleemreply as the solution here.

      ECDSA ciphers require that the server has an ECC certificate. It is likely that you have only a RSA certificate though (which is the common case), which means that ECDSA ciphers will not be supported even if they are configured.

  • PSFletchTheTek's avatar
    PSFletchTheTek
    Icon for Cumulonimbus rankCumulonimbus
    Jan 19, 2024

    Hi HetmanG,

    Did you get this sorted? - I have had the same experiance and would agree with Michael_Saleem, it does seem like you are using a RSA cert so only those ciphers are being seen.

    • whisperer's avatar
      whisperer
      Icon for MVP rankMVP
      Feb 07, 2024

      I would start a separate thread, so that is more visibility and separation of issues/solutions.