Forum Discussion
Enabling ECDHE-ECDSA Ciphers TMOS 15.1.10.x
Hello,
To meet security requirements, I am attempting to enable TLS 1.3 as well as turn off insecure ciphers including CBC Ciphers and all other insecure Ciphers. I built a Cipher Group which includes f5-secure as 'Allow', f5-secure in the 'Allowed List' and then built an 'Exclude' that includes a rule which contains the cipher string:
AES:CAMELLIA:DES:RC4:AES256-GCM-SHA384:AES128-GCM-SHA256
This seems to work in that it restricts all bad ciphers which I do not want available. When I look at the Group Audit, I see the following enabled:
Cipher Suites
ECDHE-RSA-AES256-GCM-SHA384/TLS1.2
ECDHE-RSA-CHACHA20-POLY1305-SHA256/TLS1.2
ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256/TLS1.2
TLS13-AES256-GCM-SHA384/TLS1.3
TLS13-CHACHA20-POLY1305-SHA256/TLS1.3
ECDHE-RSA-AES128-GCM-SHA256/TLS1.2
ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2
TLS13-AES128-GCM-SHA256/TLS1.3
The issue I am having is when I run an NMAP scan or hit the VIP with SSL Labs, I only get 6 Ciphers which do not include the ECDHE-ECDSA ciphers which should be TLS 1.2 Ciphers. Under the client ssl profile, I removed the disable TLS 1.3 option, so we should be good there. Is there anything else that specifically needs to be enabled to allow the BigIP device to support ECDHE-ECDSA ciphers? Running 15.1.10.x series.
Anyone have any ideas on this?
Your NMAP scan will only show ECDSA ciphers if you have an ECDSA SSL certificate terminated on the VIP. I suspect that you are using an RSA SSL certificate, which is why you will only see RSA based ciphers.
I would markMichael_Saleemreply as the solution here.
ECDSA ciphers require that the server has an ECC certificate. It is likely that you have only a RSA certificate though (which is the common case), which means that ECDSA ciphers will not be supported even if they are configured.
Hi HetmanG,
Did you get this sorted? - I have had the same experiance and would agree with Michael_Saleem, it does seem like you are using a RSA cert so only those ciphers are being seen.
- AddisynWardNimbostratus
I want to ask a similar question, can I ask it?
I would start a separate thread, so that is more visibility and separation of issues/solutions.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com