Forum Discussion

HP1's avatar
HP1
Icon for Nimbostratus rankNimbostratus
Jan 19, 2015

How are ciphers configured or what ciphers are used with the Bip IP Edge client?

Recently we've restricted the ciphers on the SSL profiles (Client), and disallowed SSLv3, TLSv1, and a number of other encryption. However, after the change, users using the Edge client were unable to VPN to the F5. When the users tried to connect they get, "Can't receive settings from server."

 

  • just checked for 11.5.1. HF7 and it provides quite a few (Cipher Suites: 26 suites) in the client hello.

     

    can you provide your exact ssl profile settings?

     

    as a check i would try with a browser client to connect to that server to rule out you totally disabled access. also something like https://www.ssllabs.com/ssltest/ would be interesting to check if a connection is still possible.

     

    as for the edge client, which version of TMOS are you using?

     

  • HP1's avatar
    HP1
    Icon for Nimbostratus rankNimbostratus

    The TMOS version is 11.4.1 HF3. Yes, the security team did use a scanning tool, and the ciphers "TLSv1_2:ECDHE+AES:DH+AES:ECDHE+AES:DH+AES:ECDHE+AES:DH+AES:ECDHE+3DES:DH+3DES:RSA+AES:RSA+AES:RSA+3DES:!MD5:!SSLv3:!EXP:!TLSv1:!RC4:!DES" did take as expected. Those using the web client for Edge Gateway were able to login, it's just those who used the Edge Window's client are having issues.

     

  • for me it works fine with that CIPHER string (which seems to have some double entries) on a client SSL profile, but as mentioned that is version 11.5.1 HF7. you can do a packetcapture to determine what your edge client offers. but i wouldn't certainly also open a support ticket.