Forum Discussion

dgytech's avatar
dgytech
Icon for Altostratus rankAltostratus
Sep 27, 2019

F5 LTM 11.4.0 Cipher Suites question

We currently have an SSL client profile with the following Ciphers setting: ECDHE+HIGH:HIGH:!MD5:!EXPORT:!DES:!3DES:!DHE:!EDH:!RC4:!ADH:!SSLv3:!TLSv1:!TLSv1_1:!RSA   This results in "TLS_ECDHE_RS...
LTM
security
TMSH
ToonVA's avatar
ToonVA
Icon for Cirrus rankCirrus
Dec 13, 2019

MEDIUM: ECDHE:ECDHE_ECDSA:!AES:!SHA:!RC4:!EXP:!DES:!3DES:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allowed 128-bit and 256-bit

MAX: ECDHE:ECDHE_ECDSA:!AES:!SHA:!RC4:!EXP:!DES:!3DES:!MEDIUM:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allow 256-bit

 

If you don’t want to block those ciphers on CBC then you can use the following string(s) below

 

MEDIUM: ECDHE:ECDHE_ECDSA:!RC4:!EXP:!DES:!3DES:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allowed 128-bit and 256-bit

MAX: ECDHE:ECDHE_ECDSA:!RC4:!EXP:!DES:!3DES:!MEDIUM:!LOW:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1:@STRENGTH

Key size allow 256-bit

 

Explanation

  • ECDHE - Allow Elliptic Curve Diffie-Hellman Ephemeral with RSA
  • ECDHE_ECDSA - Allow ECDHE with Elliptic Curve Digital Signature Algorithm
  • !AES - Block AES in CBC mode - 128-bit or 256-bit (needed to stop CBC ciphers)
  • !SHA - Block SHA/SHA1 (needed to stop CBC ciphers)
  • !RC4 - Block RC4 stream cipher
  • !EXP - Block Export grade ciphers- 40-bit or 56-bit
  • !DES - Block Single DES in CBC mode - 40-bit & 56-bit
  • !3DES - Block Triple DES in CBC mode - 168-bit
  • !LOW - Block Key size < 128bit
  • !MEDIUM - Block Key size <= 128bit (only 256-bit and higher remains)
  • !SSLv2 - Block SSLv2 Protocol
  • !SSLv3 - Block SSLv3 Protocol
  • !TLSv1 - Block TLS1.0 Protocol
  • !TLSv1_1 - Block TLS1.1 Protocol
  • @STRENGTH - Enforce most secure first

 

Personally i did multiple changes for a project to stop TLS1.0 and TLS1.1 support but i find it more easy to not include those in the cipher string but in the options of the profile. Then you have a better overview and f you save this as a "template" you can re-assign it to your clientssl profiles and so you don't need to maintain all those individual but only the "parent". With the options to block CBC you will have a guaranteed A/A+ grade on SSL Labs. Keep in mind that Windows 7 clients with IE11 don't support GCM ciphers in combination with an RSA certificate! If you want to enforce GCM for Windows 7 and IE11 you need RSA AND ECDSA certificate in one client-ssl profile in order to let a client make an handshake with ECDHE_ECDSA.

 

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384