Forum Discussion

Sean_Gray_14855's avatar
Sean_Gray_14855
Icon for Nimbostratus rankNimbostratus
Apr 17, 2014

Enabling PFS

Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket wi...
11.4
application delivery
LTM
security
ssl
james_lee_31100's avatar
james_lee_31100
Icon for Nimbostratus rankNimbostratus
Sep 11, 2015

Hello:

I have following cert

Common name: landing.XXXX.com SANs: landing.XXXX.com Organization: XXXX Inc. Location: XXXX, Illinois, US Valid from September 4, 2015 to December 3, 2018 Serial Number: 1356153356 (0x50d5420c) Signature Algorithm: sha256WithRSAEncryption Issuer: Entrust Certification Authority - L1K

Common name: Entrust Certification Authority - L1K

Organization: Entrust, Inc. Location: US Valid from October 10, 2014 to October 10, 2024 Serial Number: 1372455166 (0x51ce00fe) Signature Algorithm: sha256WithRSAEncryption Issuer: Entrust.net Certification Authority (2048)

Common name: Entrust.net Certification Authority (2048)

Organization: Entrust.net Valid from December 24, 1999 to July 24, 2029 Serial Number: 946069240 (0x3863def8) Signature Algorithm: sha1WithRSAEncryption Issuer: Entrust.net Certification Authority (2048)

cipher suite as following ECDHE+AES:ECDHE+3DES:RSA+3DES:!SSLv2:!SSLv3:!MD5:!EXPORT:!RC4

Latest version of Chrome: 45.0.2454.85 (64-bit)

Chrome complains following:

Your connection to landing.sirva.com is encrypted using an obsolete cipher suite. Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.

The connection uses TLS 1.2.

The connection is encrypted using AES_256_CBC, with HMAC-SHA1 for message authentication and RSA as the key exchange mechanism.

  • Steve_M__153836's avatar
    Steve_M__153836
    Icon for Nimbostratus rankNimbostratus
    Sep 13, 2015
    What version of TMOS are you running? ECDHE+AES should not result in an obsolete cipher suite, but Google's criteria for that message regarding cipher suites and cryptography are sometimes more stringent. I guess they're now considering AES_256_CBC obsolete. I would not support 3DES either. If you're running 11.5 or later I'd start with this and go from there with your testing: AES-GCM+ECDHE:NATIVE:!RC4:!ADH:!DHE:!EXP:!LOW. Also from earlier in this thread I would review this: In order for the message to indicate “modern cryptography”, the connection should use the latest version of TLS with forward secrecy and a good (authenticated) cipher. As of mid-2015, the latest version of TLS is 1.2 and the only ciphers that Chrome considers modern are GCM or CHACHA20_POLY1305."
  • james_lee_31100's avatar
    james_lee_31100
    Icon for Nimbostratus rankNimbostratus
    Sep 16, 2015
    thanks Steve.. use your suggestion, fixed it AES-GCM+ECDHE:NATIVE:!RC4:!ADH:!DHE:!EXP:!LOW:!SSLv2:!SSLv3