For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sean_Gray_14855's avatar
Sean_Gray_14855
Icon for Nimbostratus rankNimbostratus
Apr 17, 2014

Enabling PFS

Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket wi...
11.4
application delivery
LTM
security
ssl
nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
Apr 18, 2014

I'm still trying to get SSL Labs to confirm PFS is enabled and am unsuccessful.

if you want pfs, why don't you specify only ECDHE (e.g. ECDHE)?

by the way, isn't it clientcipher (clientssl profile)?

[root@ve11a:Active:In Sync] config  tmm --clientcipher ECDHE
       ID  SUITE                            BITS PROT    METHOD  CIPHER  MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_RSA
 1: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES     SHA384  ECDHE_RSA
 2: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES     SHA     ECDHE_RSA
 3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES     SHA     ECDHE_RSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES     SHA     ECDHE_RSA
 5: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1    Native  DES     SHA     ECDHE_RSA
 6: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.1  Native  DES     SHA     ECDHE_RSA
 7: 49170  ECDHE-RSA-DES-CBC3-SHA           192  TLS1.2  Native  DES     SHA     ECDHE_RSA
 8: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_RSA
 9: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES     SHA256  ECDHE_RSA
10: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES     SHA     ECDHE_RSA
11: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES     SHA     ECDHE_RSA
12: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES     SHA     ECDHE_RSA
Steve_M__153836's avatar
Steve_M__153836
Icon for Nimbostratus rankNimbostratus
Apr 27, 2015
Check this out: https://www.chromium.org/Home/chromium-security/education/tlsTOC-Deprecation-of-TLS- Features-Algorithms-in-Chrome. ~~~ "Obsolete Cipher Suites You may see: “Your connection to example.com is encrypted with obsolete cryptography.” This means that the connection to the current website is using an outdated cipher suite (which Chrome still allows if the server insists on it). In order for the message to indicate “modern cryptography”, the connection should use the latest version of TLS with forward secrecy and a good (authenticated) cipher. As of mid-2015, the latest version of TLS is 1.2 and the only ciphers that Chrome considers modern are GCM or CHACHA20_POLY1305." ~~~ I think this is our answer. I don't want to only supply those ciphers. I think that's much, much too narrow. So A) does 11.4.1 support those ciphers (I'll see what I can find in the docs, should be easy to find) and what variables represent them in the cipher suite so I can prefer them (this I'm not so sure how to find)? EDIT: GCM is supported starting in 11.5.0 so I need to migrate to that (or more likely 11.5.2) before being able to test/resolve this warning. I have some lab VEs i fired up 11.5.2 on. I think this is probably the cipher suite order I would use to resolve the "obsolete cryptography", maintain support for PFS, and maintain enough available suites to satisfy a variety of browsers. AES-GCM+HIGH:ECDHE+HIGH:HIGH:@STRENGTH:!RSA:!SSLV3