Forum Discussion

Sean_Gray_14855's avatar
Sean_Gray_14855
Icon for Nimbostratus rankNimbostratus
Apr 17, 2014

Enabling PFS

Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket wi...
11.4
application delivery
LTM
security
ssl
nitass's avatar
nitass
Icon for Employee rankEmployee

I'm still trying to get SSL Labs to confirm PFS is enabled and am unsuccessful.

if you want pfs, why don't you specify only ECDHE (e.g. ECDHE)?

by the way, isn't it clientcipher (clientssl profile)?

[root@ve11a:Active:In Sync] config  tmm --clientcipher ECDHE
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
 1: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
 2: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
 3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
 5: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
 6: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
 7: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA
 9: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
10: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
11: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
12: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
El-Guapo_29797's avatar
El-Guapo_29797
Icon for Nimbostratus rankNimbostratus
Feb 22, 2015
By "Explicitly Disable".. You go to Profile - SSL - Client and locate the parent Profile used such as clientssl. Go into that and click on Advanced configuration. Then in Ciphers, let's say you want to enable ECDHE-RSA-AES128-CBC-SHA and disable AES128-SHA.. you would add following (notice that ! before each cipher makes it disabled) DEFAULT:!AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384: Or you can do this in tmsh create /ltm profile client-ssl ciphers DEFAULT:!AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384: