Forum Discussion
Enabling PFS
Hi everyone, I've been trying to get PFS enabled on my LTM (ver 11.4.1) and am running into a blocker. I've tried various cipher string options and have no luck so far. I've also opened a ticket with f5 support and they just point me to various devcentral discussions that don't have the detail I need.
So I guess my question is: what are the cipher options I need to add/remove to enable PFS on a SSL client profile? or is there another way to get PFS going that I am missing?
Thanks!
- Rahul_KaulCirrus
We have to enable only ciphers having "DHE" as Diffie-Hellman Ephemeral (DHE) key exchange method provides Perfect Forward Privacy. https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-system-ssl-traffic-management-14-1-0-1/10.html
- james_lee_31100Nimbostratus
Hello:
I have following cert
Common name: landing.XXXX.com SANs: landing.XXXX.com Organization: XXXX Inc. Location: XXXX, Illinois, US Valid from September 4, 2015 to December 3, 2018 Serial Number: 1356153356 (0x50d5420c) Signature Algorithm: sha256WithRSAEncryption Issuer: Entrust Certification Authority - L1K
Common name: Entrust Certification Authority - L1K
Organization: Entrust, Inc. Location: US Valid from October 10, 2014 to October 10, 2024 Serial Number: 1372455166 (0x51ce00fe) Signature Algorithm: sha256WithRSAEncryption Issuer: Entrust.net Certification Authority (2048)
Common name: Entrust.net Certification Authority (2048)
Organization: Entrust.net Valid from December 24, 1999 to July 24, 2029 Serial Number: 946069240 (0x3863def8) Signature Algorithm: sha1WithRSAEncryption Issuer: Entrust.net Certification Authority (2048)
cipher suite as following ECDHE+AES:ECDHE+3DES:RSA+3DES:!SSLv2:!SSLv3:!MD5:!EXPORT:!RC4
Latest version of Chrome: 45.0.2454.85 (64-bit)
Chrome complains following:
Your connection to landing.sirva.com is encrypted using an obsolete cipher suite. Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.
The connection uses TLS 1.2.
The connection is encrypted using AES_256_CBC, with HMAC-SHA1 for message authentication and RSA as the key exchange mechanism.
- james_lee_31100Nimbostratusthanks Steve.. use your suggestion, fixed it AES-GCM+ECDHE:NATIVE:!RC4:!ADH:!DHE:!EXP:!LOW:!SSLv2:!SSLv3
- Steve_M__153836NimbostratusWhat version of TMOS are you running? ECDHE+AES should not result in an obsolete cipher suite, but Google's criteria for that message regarding cipher suites and cryptography are sometimes more stringent. I guess they're now considering AES_256_CBC obsolete. I would not support 3DES either. If you're running 11.5 or later I'd start with this and go from there with your testing: AES-GCM+ECDHE:NATIVE:!RC4:!ADH:!DHE:!EXP:!LOW. Also from earlier in this thread I would review this: In order for the message to indicate “modern cryptography”, the connection should use the latest version of TLS with forward secrecy and a good (authenticated) cipher. As of mid-2015, the latest version of TLS is 1.2 and the only ciphers that Chrome considers modern are GCM or CHACHA20_POLY1305."
- JMart_143192Nimbostratus
Hello everyone,
I am trying to get the PFS enabled on my platform, I have the following profile enabled:
ltm profile client-ssl /Common/clientssl_HB_users { app-service none ca-file /Common/cert.crt cert /Common/cert_2015.crt ciphers DEFAULT:!COMPAT:ECDHE+AES:ECDHE+3DES:AES:3DES:!MD5:!EXPORT:!DES:!EDH:!RC4 defaults-from /Common/clientssl key /Common/cert_2015.key options { dont-insert-empty-fragments no-sslv3 } renegotiation disabled
I'm getting and A- on SSL Test and I need to upgrade it, My platform is on version 11.4.1 HF 6. Could you help me to solutionate this? Thank you so much! Thank you so much.
- Steve_M__153836NimbostratusSo what you're going to have to do is look at the cipher suite used for those browsers and figure out what the correct variables are with the cipher suites and remove it. I have the same issue because my business has forced me to allow the RC4 ciphers. I would get an A or A+ if it were not for that. Since you're not allowing RC4 then it is a different cipher suite that is your issue.
- JMart_143192NimbostratusHelo Steve M. Thank for your response! Yes my problem is with the FS (Forward Secrecy) it doesn't show an specific state more than "Forward Secrecy No WEAK" and it only shows me that I am not supporting FS for no one of the browsers I thought that the only thing that I see every site is that I have to put the ECDHE in the ciphers but it wasn't all for me. I don't know how can I improve this, Thank you so much
- Steve_M__153836NimbostratusThere are many things that go into that grade. I know there are are two renegotiation settings in the profile. Make sure the one you have disabled is the one that corresponds to client-side renegotiation. Also found this in Qualys' recommendations (https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf). "3DES provides about 112 bits of security. This is below the recommended minimum of 128 bits, but it’s still strong enough. A bigger practical problem is that 3DES is much slower than the alternatives. Thus, we don’t recommend it for performance reasons, but it can be kept at the end of the cipher list for interoperability with very old clients." If there is anything from the result that states why you received the grade you did please post that so we can review it.
- Sean_Gray_14855Nimbostratus
My initial cipher string was simply "ECDHE" which actually crushed all but 2 (as I recall, only IE11 was fine) of the Windows/IE combos. It also killed a few of the java ones, and a few others. So I played around quite a bit, and had to add AES-GCM but explicitly disable weaker ciphers that came along with it. Currently only IE6/XP is not supported which I'm totally fine with, while maintaining PFS.
- Sean_Gray_14855Nimbostratus
Got this working fine a while ago using the above suggestions. I did run into a problem with killing certain versions of IE and Windows that I actually did want to support, so I ended up with the following as my cipher string which allowed me to support all of the OS/browser combos I wanted while also supporting PFS:
ECDHE+AES-GCM:NATIVE:!MD5:!EXPORT:!DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:@SPEED
After doing this, setting up the iRule for HSTS, and renewing my cert with SHA-256 my site hit the "A+" mark with SSLLabs.
- Steve_M__153836NimbostratusAJ the GCM suites are only available starting with 11.5.0.
- AJ_01_135899CirrostratusIs this with a specific hotfix applied to 11.4.1? I was under the impression that RC4-SHA was the only POODLE-secure cipher on 11.4.1 (and RC4-SHA would automatically bump you down to a "C"). I'm also not seeing AES-GCM in the list on 11.4.1
- Steve_M__153836NimbostratusVery cool on the A+. Thanks for the update. Can you elaborate on what versions of IE/Windows you had issues with and why? I know IE6 will obviously not work, but I'm interested to hear about other versions.
- sjon_195224Nimbostratus
Hey, I'm running into the same obsolete error message. Running 11.5.1, I tried your last suggestion of the following in the profile cipher list...... AES-GCM+HIGH:ECDHE+HIGH:HIGH:@STRENGTH:!RSA:!SSLV3
and this also didn't resolve.
- Steve_M__153836NimbostratusGood to hear. I had to make a change to support the Win XP/IE 8 combination. From a security perspective I think it's lunacy that we're supporting it, but just in case it is needed here is the cipher suite string I had to use. AES-GCM+ECDHE:NATIVE:RC4:!ADH:!DHE:!EXP:!LOW
- sjon_195224NimbostratusSorry, it's taken a while to update due to time off and waiting on confirmation but it looks like just using AES-GCM broke Safari (v6+) but was fine in other browsers (IE 10 also needed TLS enabled). However, changing to AES-GCM+ECDHE:NATIVE:!ADH:!DHE:!RSA looks to have resolved on all browsers supported by our application. Thanks!
- Steve_M__153836NimbostratusGood to hear. I'm interested to know what the devs come back with in terms of browser compatibility using just that cipher suite. I was able to reproduce your issue. I think the problem is that my initial cipher suite order that I posted didn't support any AES-GCM cipher suites that were 128-bit and I think browsers are still going after the 128-bit ciphers. Just a guess, but I think that's it. Once I tweaked it to allow a 128-bit AES-GCM cipher towards the top it used the GCM cipher suite. I used AES-GCM+ECDHE:NATIVE:!ADH:!DHE:!RSA
- David_Holmes_9Historic F5 Account
Try this string. It "prefers" DHE ciphers but allows all other normal ciphers just in case the client doesn't want to go ECDHE.
ECDHE+HIGH:HIGH
- Steve_M__153836NimbostratusThank you David. This helps.
- nitass_89166Noctilucent
I'm still trying to get SSL Labs to confirm PFS is enabled and am unsuccessful.
if you want pfs, why don't you specify only ECDHE (e.g. ECDHE)?
by the way, isn't it clientcipher (clientssl profile)?
[root@ve11a:Active:In Sync] config tmm --clientcipher ECDHE ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 6: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 7: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA 8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 9: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 10: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 12: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
- Steve_M__153836NimbostratusCheck this out: https://www.chromium.org/Home/chromium-security/education/tlsTOC-Deprecation-of-TLS- Features-Algorithms-in-Chrome. ~~~ "Obsolete Cipher Suites You may see: “Your connection to example.com is encrypted with obsolete cryptography.” This means that the connection to the current website is using an outdated cipher suite (which Chrome still allows if the server insists on it). In order for the message to indicate “modern cryptography”, the connection should use the latest version of TLS with forward secrecy and a good (authenticated) cipher. As of mid-2015, the latest version of TLS is 1.2 and the only ciphers that Chrome considers modern are GCM or CHACHA20_POLY1305." ~~~ I think this is our answer. I don't want to only supply those ciphers. I think that's much, much too narrow. So A) does 11.4.1 support those ciphers (I'll see what I can find in the docs, should be easy to find) and what variables represent them in the cipher suite so I can prefer them (this I'm not so sure how to find)? EDIT: GCM is supported starting in 11.5.0 so I need to migrate to that (or more likely 11.5.2) before being able to test/resolve this warning. I have some lab VEs i fired up 11.5.2 on. I think this is probably the cipher suite order I would use to resolve the "obsolete cryptography", maintain support for PFS, and maintain enough available suites to satisfy a variety of browsers. AES-GCM+HIGH:ECDHE+HIGH:HIGH:@STRENGTH:!RSA:!SSLV3
- Steve_M__153836NimbostratusSome error in Chrome as earlier when I excluded SHA1. ERR_SSL_VERSION_OR_CIPHER_MISMATCH A secure connection cannot be established because this site uses an unsupported protocol.
- nitass_89166Noctilucentit seems there are only 2 ciphers using sha256 in 11.4.1 hf7. would you like to try AES128-SHA256? [root@B4200-R77-S7:Active:Standalone] config tmm --clientciphers sha256 ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 1: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
- nitassEmployee
I'm still trying to get SSL Labs to confirm PFS is enabled and am unsuccessful.
if you want pfs, why don't you specify only ECDHE (e.g. ECDHE)?
by the way, isn't it clientcipher (clientssl profile)?
[root@ve11a:Active:In Sync] config tmm --clientcipher ECDHE ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 49200 ECDHE-RSA-AES256-GCM-SHA384 256 TLS1.2 Native AES-GCM SHA384 ECDHE_RSA 1: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 2: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 3: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 4: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 5: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 6: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 7: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA 8: 49199 ECDHE-RSA-AES128-GCM-SHA256 128 TLS1.2 Native AES-GCM SHA256 ECDHE_RSA 9: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 10: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 11: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 12: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA
- Steve_M__153836NimbostratusCheck this out: https://www.chromium.org/Home/chromium-security/education/tlsTOC-Deprecation-of-TLS- Features-Algorithms-in-Chrome. ~~~ "Obsolete Cipher Suites You may see: “Your connection to example.com is encrypted with obsolete cryptography.” This means that the connection to the current website is using an outdated cipher suite (which Chrome still allows if the server insists on it). In order for the message to indicate “modern cryptography”, the connection should use the latest version of TLS with forward secrecy and a good (authenticated) cipher. As of mid-2015, the latest version of TLS is 1.2 and the only ciphers that Chrome considers modern are GCM or CHACHA20_POLY1305." ~~~ I think this is our answer. I don't want to only supply those ciphers. I think that's much, much too narrow. So A) does 11.4.1 support those ciphers (I'll see what I can find in the docs, should be easy to find) and what variables represent them in the cipher suite so I can prefer them (this I'm not so sure how to find)? EDIT: GCM is supported starting in 11.5.0 so I need to migrate to that (or more likely 11.5.2) before being able to test/resolve this warning. I have some lab VEs i fired up 11.5.2 on. I think this is probably the cipher suite order I would use to resolve the "obsolete cryptography", maintain support for PFS, and maintain enough available suites to satisfy a variety of browsers. AES-GCM+HIGH:ECDHE+HIGH:HIGH:@STRENGTH:!RSA:!SSLV3
- Steve_M__153836NimbostratusSome error in Chrome as earlier when I excluded SHA1. ERR_SSL_VERSION_OR_CIPHER_MISMATCH A secure connection cannot be established because this site uses an unsupported protocol.
- nitassEmployeeit seems there are only 2 ciphers using sha256 in 11.4.1 hf7. would you like to try AES128-SHA256? [root@B4200-R77-S7:Active:Standalone] config tmm --clientciphers sha256 ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 1: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
- nitassEmployee
So I guess my question is: what are the cipher options I need to add/remove to enable PFS on a SSL client profile? or is there another way to get PFS going that I am missing?
i understand pfs is included since 11.2.1. you can display cipher suite list using tmm --clientciphers and tmm --serverciphers command.
Diffie-Hellman SSL key exchange cipher The Diffie-Hellman SSL key exchange cipher, which provides perfect forward secrecy (PFS), is now included natively. This provides better performance for configurations using Diffie-Hellman, especially on physical platforms that have hardware SSL acceleration.
Release Note: BIG-IP LTM and TMOS 11.2.1
- Sean_Gray_14855NimbostratusThanks! Having read as much documentation as I can scrape up, I'm still trying to get SSL Labs to confirm PFS is enabled and am unsuccessful. Here's my cipher string: [root@lbl701:Active:In Sync] config tmm --serverciphers DEFAULT:@STRENGTH:-RC4 ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 53 AES256-SHA 256 SSL3 Native AES SHA RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 3: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 4: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 5: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 6: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 7: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 8: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 9: 10 DES-CBC3-SHA 192 SSL3 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 12: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 13: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 14: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 15: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 16: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA 17: 47 AES128-SHA 128 SSL3 Native AES SHA RSA 18: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 19: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 20: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 21: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 22: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 23: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 24: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 25: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA Do I need to disable all non-ECDHE to get this to work?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com