Forum Discussion

Sean_Gray_14855's avatar
Sean_Gray_14855
Icon for Nimbostratus rankNimbostratus
Apr 17, 2014

Enabling PFS

Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket wi...
11.4
application delivery
LTM
security
ssl
JMart_143192's avatar
JMart_143192
Icon for Nimbostratus rankNimbostratus
Aug 14, 2015

Hello everyone,

I am trying to get the PFS enabled on my platform, I have the following profile enabled:

ltm profile client-ssl /Common/clientssl_HB_users {
        app-service none
        ca-file /Common/cert.crt
        cert /Common/cert_2015.crt
        ciphers DEFAULT:!COMPAT:ECDHE+AES:ECDHE+3DES:AES:3DES:!MD5:!EXPORT:!DES:!EDH:!RC4
        defaults-from /Common/clientssl
        key /Common/cert_2015.key
        options { dont-insert-empty-fragments no-sslv3 }
        renegotiation disabled

I'm getting and A- on SSL Test and I need to upgrade it, My platform is on version 11.4.1 HF 6. Could you help me to solutionate this? Thank you so much! Thank you so much.

Steve_M__153836's avatar
Steve_M__153836
Icon for Nimbostratus rankNimbostratus
Aug 18, 2015
So what you're going to have to do is look at the cipher suite used for those browsers and figure out what the correct variables are with the cipher suites and remove it. I have the same issue because my business has forced me to allow the RC4 ciphers. I would get an A or A+ if it were not for that. Since you're not allowing RC4 then it is a different cipher suite that is your issue.