Forum Discussion

Nimbostratus

Oct 20, 2014

Solved

How do you select right chiper?

Hi I need you to help me, I have a problem with a virtual Server that uses SSL, I have captured traffic and I see that the client gives a fatal error, I think that the root cause of the error is...

John_Heyer_1508
Dec 09, 2014
Cipher's aren't the problem - the capture shows you're negotiating the "DES-CBC3-SHA" cipher, which is the F5's default for SSLv3 clients. RC4-SHA and RC4-MD5 are also options for SSLv3 if the client doesn't support 3DES.

Instead, the issue here is actually with your certificate. It's SHA-2 signed, and SSLv3 only knows about SHA-1 and MD5. You'll need to have the CA re-issue the certificate in SHA-1 format. Note that it won't be possible to get SHA-1 certificates starting in about 2016, so you'll need to upgrade your application to support TLS before then.

t-roy

Nimbostratus

Oct 20, 2014

What version of code are you running?? When we upgraded to 11.4 we broke some stuff that was trying to do SSLv3 so we had to add this to the cipher list: !EXPORT:!DH:!MD5:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:@SPEED

Having said that, SSLv3 is vulnerable so I DO NOT recommend using this if you can avoid it.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)