Forum Discussion

Danny_Arroyo's avatar
Danny_Arroyo
Icon for Cirrus rankCirrus
Apr 19, 2018

Enabling "Honor Cipher Order" on F5 LTM v12.X

Our SSL sites are receiving F's on ssllabs. The main reason is that we are vulnerable to the ROBOT vulnerability (We are upgrading from 12.1.1 to 12.1.3.4 tonight).   However another issue we ...
application delivery
BIG-IP
LTM
security
boneyard's avatar
boneyard
Icon for MVP rankMVP
Apr 23, 2018

i apologize if i come over too strong, it was just that there didn't seem to be any progress just i read it all but it doesn't work, it seems it does work, just not exactly as wanted

if you do this

tmm --clientcipher "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"

then that is the order the F5 is going to present it, same with putting that in the cipher string field.

see

[root@bigip-01:Active:Standalone] config  tmm --clientcipher "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"                                ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA
 1: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
[root@bigip-01:Active:Standalone] config  tmm --clientcipher "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256"
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 1: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_ECDSA

stuff like @strength and such have an effect on sets, not on separate written out ciphers

so if this doesn't work for you on SSL labs you might haven't saved the profile yet or are testing against the wrong virtual server or have edited the wrong profile