Forum Discussion
Sean_Gray_14855
Nimbostratus
NimbostratusEnabling PFS
Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket wi...
nitass
Employee
EmployeeI'm still trying to get SSL Labs to confirm PFS is enabled and am unsuccessful.
if you want pfs, why don't you specify only ECDHE (e.g. ECDHE)?
by the way, isn't it clientcipher (clientssl profile)?
[root@ve11a:Active:In Sync] config tmm --clientcipher ECDHE
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
5: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA
6: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA
7: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
9: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
10: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
12: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
Sean_Gray_14855Yep that did the trick. So in order to enable PFS you have to explicitly disable all non-ECDHE ciphers. Bummer! And yes you are absolutely right it's clientciphers not serverciphers, sorry for the mixup. :) Thanks for the help, it is much appreciated
Steve_M__153836I've just started having to look into this and this thread helped quite a bit. Sean by "explicitly disable" did you have to do something via command line or did you just specify the ECDHE ciphers in the SSL profile(s)?
El-Guapo_29797By "Explicitly Disable".. You go to Profile - SSL - Client and locate the parent Profile used such as clientssl. Go into that and click on Advanced configuration. Then in Ciphers, let's say you want to enable ECDHE-RSA-AES128-CBC-SHA and disable AES128-SHA.. you would add following (notice that ! before each cipher makes it disabled) DEFAULT:!AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384: Or you can do this in tmsh create /ltm profile client-ssl ciphers DEFAULT:!AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:- Steve_M__153836Thanks for the reply El Guapo. Didn't see it until now. So I've started using the below cipher string in my client parent profile with also using the options field to disable SSLv2 and v3. ~~~ tmm --clientciphers ECDHE+HIGH:HIGH:@STRENGTH ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 1: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 3: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 8: 57 DHE-RSA-AES256-SHA 256 SSL3 Native AES SHA EDH/RSA 9: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 10: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 11: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 12: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 13: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 14: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 15: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA 16: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 17: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 18: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 19: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 20: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 21: 22 DHE-RSA-DES-CBC3-SHA 192 SSL3 Native DES SHA EDH/RSA 22: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA 23: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA 24: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA ~~~ The only thing I haven't been able to resolve is the little warning in Chrome when you look at the cert information and it says that our site 'is using obsolete cryptography'. I'm guessing there is a specific cipher(s) that is outdated in the list per my cipher options, but I'm not sure how to find which it is. Any guidance or places I should look to reference that?
- nitass>The only thing I haven't been able to resolve is the little warning in Chrome when you look at the cert information and it says that our site 'is using obsolete cryptography'. can you try to exclude sha1 (i.e. !SHA1)?
- Brad_Parker
Cirrus
Are you using a SHA1 cert? Chrome will no longer consider SHA1 certs with an expiration after Jan 1 2016 as "secure". - Steve_M__153836Brad we are using SHA256 certificates. nitass when I add that to my cipher string the only cipher suite left is 0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA This results in an error loading the page in Chrome "ERR_SSL_VERSION_OR_CIPHER_MISMATCH". I tried DEFAULT:!SHA1 and had the same result.
- nitasswhat version are you using?
- Steve_M__153836We are using 11.4.1 HF7.
- nitassit seems there are only 2 ciphers using sha256 in 11.4.1 hf7. would you like to try AES128-SHA256? [root@B4200-R77-S7:Active:Standalone] config tmm --clientciphers sha256 ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 1: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA