For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dgytech's avatar
dgytech
Icon for Altostratus rankAltostratus
Sep 27, 2019

F5 LTM 11.4.0 Cipher Suites question

We currently have an SSL client profile with the following Ciphers setting: ECDHE+HIGH:HIGH:!MD5:!EXPORT:!DES:!3DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!TLSv1:!TLSv1_1:!RSA   This results in "TLS_ECDHE_RS...
LTM
security
TMSH
jaikumar_f5's avatar
jaikumar_f5
Icon for Noctilucent rankNoctilucent
Sep 28, 2019

 , Have you first checked what all the ciphers that your bigip would support as part of handshake when you append the above CIPHER - 'ECDHE+HIGH:HIGH:!MD5:!EXPORT:!DES:!3DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!TLSv1:!TLSv1_1:!RSA'

To check that, run the below, 

tmm --clientciphers 'ECDHE+HIGH:HIGH:!MD5:!EXPORT:!DES:!3DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!TLSv1:!TLSv1_1:!RSA'

The above should list a set of CIPHERS that the LTM VS would use for negotiation. I'm sure there will be minimum of 10+ CIPHER SUITES (I see it in v13).

Your above listed CIPHER - hex value of c014 has below,

ID - 49172
SUITE - ECDHE-RSA-AES256-CBC-SHA 
BITS - 256
PROT - TLS1.2
METHOD - Native
CIPHER - AES
MAC - SHA
KEYXECDHE_RSA

If you are worrying about your overall rating on SSL Labs, you can remove a certain set of CIPHERS. But if your bigip version does not support it, you can't do much about that but to upgrade to latest version. Only AEAD CIPHERS (AES-GCM and ChaCha20-Poly1305) are the strongest in the market now.

Here's the article which shows the bigip versions supported ciphers. Looks like you are very limited with ciphers in this version.

Also its not like you need to have Tls1.3 enabled to get good rating. Even with Tls1.2 with strong ciphers you will get good rating and you will eliminate weak ciphers.