Forum Discussion
Moinul_Rony
Altostratus
AltostratusHow to get Perfect Forward Secrecy ( PFS ) in v11.2.1 HF13
Hi,
I have recently installed F5 v11.2.1 HF13 to remediate Poodle and RC4. Which has been done. But we still are unable to enable PFS.
According to https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-2-1.html PFS should be enabled Natively.
The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.
Which CIPHER settings should I use to add PFS and achieve a A+.
Many thanks.
8 Replies
What_Lies_Bene1Cirrostratus
This other thread should help you. I don't think the minor version difference will be an issue: https://devcentral.f5.com/questions/enabling-pfs
- What_Lies_Bene1
So does using the cipher strings in that article not help? Have you actually tried?
Do you need ONLY ciphers that support PFS?
- nitass
Employee
The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.
Which CIPHER settings should I use to add PFS and achieve a A+.i think DHE is included in 11.2.1 but it is not included in default cipher. can you try 'DHE:!SSLv3'?
[root@B4200-R77-S7:Active:Standalone] config tmsh show sys version | head Sys::Version Main Package Product BIG-IP Version 11.2.1 Build 1306.0 Edition Hotfix HF13 Date Wed Dec 3 15:05:53 PST 2014 [root@B4200-R77-S7:Active:Standalone] config tmm --clientcipher 'DEFAULT:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 12: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 13: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA [root@B4200-R77-S7:Active:Standalone] config [root@B4200-R77-S7:Active:Standalone] config tmm --clientcipher 'DHE:!SSLv3' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 1: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 2: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 3: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 5: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 6: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 7: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA 8: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA 9: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA 10: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA 11: 21 DHE-RSA-DES-CBC-SHA 64 DTLS1 Native DES SHA EDH/RSA 12: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA 13: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA 14: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA 15: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Native DES SHA EDH/RSA- Moinul_RonyThanks. But its not working. Using DHE:!SSLv3 - downgrades to a B, with Cipher Strength going down to 60. Using Native I get a 'F' ~ tmm --clientcipher 'NATIVE:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 12: 9 DES-CBC-SHA 64 TLS1 Native DES SHA RSA 13: 9 DES-CBC-SHA 64 TLS1.1 Native DES SHA RSA 14: 9 DES-CBC-SHA 64 TLS1.2 Native DES SHA RSA 15: 9 DES-CBC-SHA 64 DTLS1 Native DES SHA RSA 16: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 17: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 18: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 19: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA 20: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 21: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 22: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 23: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA 24: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA 25: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA 26: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA 27: 21 DHE-RSA-DES-CBC-SHA 64 DTLS1 Native DES SHA EDH/RSA 28: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA 29: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA 30: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA 31: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Native DES SHA EDH/RSA 32: 98 EXP1024-DES-CBC-SHA 56 TLS1 Native DES SHA RSA 33: 98 EXP1024-DES-CBC-SHA 56 TLS1.1 Native DES SHA RSA 34: 98 EXP1024-DES-CBC-SHA 56 TLS1.2 Native DES SHA RSA 35: 98 EXP1024-DES-CBC-SHA 56 DTLS1 Native DES SHA RSA 36: 8 EXP-DES-CBC-SHA 40 TLS1 Native DES SHA RSA 37: 8 EXP-DES-CBC-SHA 40 TLS1.1 Native DES SHA RSA 38: 8 EXP-DES-CBC-SHA 40 TLS1.2 Native DES SHA RSA 39: 8 EXP-DES-CBC-SHA 40 DTLS1 Native DES SHA RSA 40: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 41: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
uzi_260320Nimbostratus
Hi Moinul,
Did you ever get PFS working on 11.2.1? I'm in the same situation right now and would appreciate any guidance.
Thanks!
nitass_89166Noctilucent
The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.
Which CIPHER settings should I use to add PFS and achieve a A+.i think DHE is included in 11.2.1 but it is not included in default cipher. can you try 'DHE:!SSLv3'?
[root@B4200-R77-S7:Active:Standalone] config tmsh show sys version | head Sys::Version Main Package Product BIG-IP Version 11.2.1 Build 1306.0 Edition Hotfix HF13 Date Wed Dec 3 15:05:53 PST 2014 [root@B4200-R77-S7:Active:Standalone] config tmm --clientcipher 'DEFAULT:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 12: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 13: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA [root@B4200-R77-S7:Active:Standalone] config [root@B4200-R77-S7:Active:Standalone] config tmm --clientcipher 'DHE:!SSLv3' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 1: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 2: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 3: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 5: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 6: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 7: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA 8: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA 9: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA 10: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA 11: 21 DHE-RSA-DES-CBC-SHA 64 DTLS1 Native DES SHA EDH/RSA 12: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA 13: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA 14: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA 15: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Native DES SHA EDH/RSA- Moinul_RonyThanks. But its not working. Using DHE:!SSLv3 - downgrades to a B, with Cipher Strength going down to 60. Using Native I get a 'F' ~ tmm --clientcipher 'NATIVE:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 12: 9 DES-CBC-SHA 64 TLS1 Native DES SHA RSA 13: 9 DES-CBC-SHA 64 TLS1.1 Native DES SHA RSA 14: 9 DES-CBC-SHA 64 TLS1.2 Native DES SHA RSA 15: 9 DES-CBC-SHA 64 DTLS1 Native DES SHA RSA 16: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 17: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 18: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 19: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA 20: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 21: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 22: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 23: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA 24: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA 25: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA 26: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA 27: 21 DHE-RSA-DES-CBC-SHA 64 DTLS1 Native DES SHA EDH/RSA 28: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA 29: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA 30: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA 31: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Native DES SHA EDH/RSA 32: 98 EXP1024-DES-CBC-SHA 56 TLS1 Native DES SHA RSA 33: 98 EXP1024-DES-CBC-SHA 56 TLS1.1 Native DES SHA RSA 34: 98 EXP1024-DES-CBC-SHA 56 TLS1.2 Native DES SHA RSA 35: 98 EXP1024-DES-CBC-SHA 56 DTLS1 Native DES SHA RSA 36: 8 EXP-DES-CBC-SHA 40 TLS1 Native DES SHA RSA 37: 8 EXP-DES-CBC-SHA 40 TLS1.1 Native DES SHA RSA 38: 8 EXP-DES-CBC-SHA 40 TLS1.2 Native DES SHA RSA 39: 8 EXP-DES-CBC-SHA 40 DTLS1 Native DES SHA RSA 40: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 41: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
- uzi_260320
Hi Moinul,
Did you ever get PFS working on 11.2.1? I'm in the same situation right now and would appreciate any guidance.
Thanks!
