Forum Discussion
Sean_Gray_14855
Apr 17, 2014Nimbostratus
Enabling PFS
Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket wi...
nitass_89166
Noctilucent
I'm still trying to get SSL Labs to confirm PFS is enabled and am unsuccessful.
if you want pfs, why don't you specify only ECDHE (e.g. ECDHE)?
by the way, isn't it clientcipher (clientssl profile)?
[root@ve11a:Active:In Sync] config tmm --clientcipher ECDHE
ID SUITE BITS PROT METHOD CIPHER MAC KEYX
0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA
1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA
2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA
3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA
4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA
5: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA
6: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA
7: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA
9: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA
10: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA
11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA
12: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
El-Guapo_29797
Feb 22, 2015Nimbostratus
By "Explicitly Disable".. You go to Profile - SSL - Client and locate the parent Profile used such as clientssl. Go into that and click on Advanced configuration. Then in Ciphers, let's say you want to enable ECDHE-RSA-AES128-CBC-SHA and disable AES128-SHA.. you would add following (notice that ! before each cipher makes it disabled)
DEFAULT:!AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:
Or you can do this in tmsh
create /ltm profile client-ssl ciphers DEFAULT:!AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects