For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Moinul_Rony's avatar
Moinul_Rony
Icon for Altostratus rankAltostratus
Apr 23, 2015

How to get Perfect Forward Secrecy ( PFS ) in v11.2.1 HF13

Hi,

 

I have recently installed F5 v11.2.1 HF13 to remediate Poodle and RC4. Which has been done. But we still are unable to enable PFS.

 

According to https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-2-1.html PFS should be enabled Natively.

 

The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.

 

Which CIPHER settings should I use to add PFS and achieve a A+.

 

Many thanks.

 

application delivery
deployment
design
LTM
management

8 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Apr 24, 2015

    So does using the cipher strings in that article not help? Have you actually tried?

     

    Do you need ONLY ciphers that support PFS?

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 24, 2015

    The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.

    Which CIPHER settings should I use to add PFS and achieve a A+.

    i think DHE is included in 11.2.1 but it is not included in default cipher. can you try 'DHE:!SSLv3'?

    [root@B4200-R77-S7:Active:Standalone] config  tmsh show sys version | head

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.1
  Build    1306.0
  Edition  Hotfix HF13
  Date     Wed Dec  3 15:05:53 PST 2014

[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DEFAULT:!SSLv3:!RC4'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
 1:  47 AES128-SHA                      128  TLS1.1  Native AES    SHA    RSA
 2:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
 3:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA
 4:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
 5:  53 AES256-SHA                      256  TLS1.1  Native AES    SHA    RSA
 6:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
 7:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
 8:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
 9:  10 DES-CBC3-SHA                    192  TLS1.1  Native DES    SHA    RSA
10:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
11:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
12:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA
13:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA
[root@B4200-R77-S7:Active:Standalone] config 
[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DHE:!SSLv3'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  51 DHE-RSA-AES128-SHA              128  TLS1  Native AES    SHA    EDH/RSA
 1:  51 DHE-RSA-AES128-SHA              128  TLS1.1  Native AES    SHA    EDH/RSA
 2:  51 DHE-RSA-AES128-SHA              128  TLS1.2  Native AES    SHA    EDH/RSA
 3:  51 DHE-RSA-AES128-SHA              128  DTLS1  Native AES    SHA    EDH/RSA
 4:  57 DHE-RSA-AES256-SHA              256  TLS1  Native AES    SHA    EDH/RSA
 5:  57 DHE-RSA-AES256-SHA              256  TLS1.1  Native AES    SHA    EDH/RSA
 6:  57 DHE-RSA-AES256-SHA              256  TLS1.2  Native AES    SHA    EDH/RSA
 7:  57 DHE-RSA-AES256-SHA              256  DTLS1  Native AES    SHA    EDH/RSA
 8:  21 DHE-RSA-DES-CBC-SHA              64  TLS1  Native DES    SHA    EDH/RSA
 9:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.1  Native DES    SHA    EDH/RSA
10:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.2  Native DES    SHA    EDH/RSA
11:  21 DHE-RSA-DES-CBC-SHA              64  DTLS1  Native DES    SHA    EDH/RSA
12:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1  Native DES    SHA    EDH/RSA
13:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.1  Native DES    SHA    EDH/RSA
14:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.2  Native DES    SHA    EDH/RSA
15:  22 DHE-RSA-DES-CBC3-SHA            192  DTLS1  Native DES    SHA    EDH/RSA
    • Moinul_Rony's avatar
      Moinul_Rony
      Icon for Altostratus rankAltostratus
      Apr 27, 2015
      Thanks. But its not working. Using DHE:!SSLv3 - downgrades to a B, with Cipher Strength going down to 60. Using Native I get a 'F' ~ tmm --clientcipher 'NATIVE:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 12: 9 DES-CBC-SHA 64 TLS1 Native DES SHA RSA 13: 9 DES-CBC-SHA 64 TLS1.1 Native DES SHA RSA 14: 9 DES-CBC-SHA 64 TLS1.2 Native DES SHA RSA 15: 9 DES-CBC-SHA 64 DTLS1 Native DES SHA RSA 16: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 17: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 18: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 19: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA 20: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 21: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 22: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 23: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA 24: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA 25: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA 26: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA 27: 21 DHE-RSA-DES-CBC-SHA 64 DTLS1 Native DES SHA EDH/RSA 28: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA 29: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA 30: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA 31: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Native DES SHA EDH/RSA 32: 98 EXP1024-DES-CBC-SHA 56 TLS1 Native DES SHA RSA 33: 98 EXP1024-DES-CBC-SHA 56 TLS1.1 Native DES SHA RSA 34: 98 EXP1024-DES-CBC-SHA 56 TLS1.2 Native DES SHA RSA 35: 98 EXP1024-DES-CBC-SHA 56 DTLS1 Native DES SHA RSA 36: 8 EXP-DES-CBC-SHA 40 TLS1 Native DES SHA RSA 37: 8 EXP-DES-CBC-SHA 40 TLS1.1 Native DES SHA RSA 38: 8 EXP-DES-CBC-SHA 40 TLS1.2 Native DES SHA RSA 39: 8 EXP-DES-CBC-SHA 40 DTLS1 Native DES SHA RSA 40: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 41: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
    • uzi_260320's avatar
      uzi_260320
      Icon for Nimbostratus rankNimbostratus
      Sep 07, 2016

      Hi Moinul,

       

      Did you ever get PFS working on 11.2.1? I'm in the same situation right now and would appreciate any guidance.

       

      Thanks!

       

  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Apr 24, 2015

    The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.

    Which CIPHER settings should I use to add PFS and achieve a A+.

    i think DHE is included in 11.2.1 but it is not included in default cipher. can you try 'DHE:!SSLv3'?

    [root@B4200-R77-S7:Active:Standalone] config  tmsh show sys version | head

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.1
  Build    1306.0
  Edition  Hotfix HF13
  Date     Wed Dec  3 15:05:53 PST 2014

[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DEFAULT:!SSLv3:!RC4'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
 1:  47 AES128-SHA                      128  TLS1.1  Native AES    SHA    RSA
 2:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
 3:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA
 4:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
 5:  53 AES256-SHA                      256  TLS1.1  Native AES    SHA    RSA
 6:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
 7:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
 8:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
 9:  10 DES-CBC3-SHA                    192  TLS1.1  Native DES    SHA    RSA
10:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
11:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
12:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA
13:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA
[root@B4200-R77-S7:Active:Standalone] config 
[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DHE:!SSLv3'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  51 DHE-RSA-AES128-SHA              128  TLS1  Native AES    SHA    EDH/RSA
 1:  51 DHE-RSA-AES128-SHA              128  TLS1.1  Native AES    SHA    EDH/RSA
 2:  51 DHE-RSA-AES128-SHA              128  TLS1.2  Native AES    SHA    EDH/RSA
 3:  51 DHE-RSA-AES128-SHA              128  DTLS1  Native AES    SHA    EDH/RSA
 4:  57 DHE-RSA-AES256-SHA              256  TLS1  Native AES    SHA    EDH/RSA
 5:  57 DHE-RSA-AES256-SHA              256  TLS1.1  Native AES    SHA    EDH/RSA
 6:  57 DHE-RSA-AES256-SHA              256  TLS1.2  Native AES    SHA    EDH/RSA
 7:  57 DHE-RSA-AES256-SHA              256  DTLS1  Native AES    SHA    EDH/RSA
 8:  21 DHE-RSA-DES-CBC-SHA              64  TLS1  Native DES    SHA    EDH/RSA
 9:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.1  Native DES    SHA    EDH/RSA
10:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.2  Native DES    SHA    EDH/RSA
11:  21 DHE-RSA-DES-CBC-SHA              64  DTLS1  Native DES    SHA    EDH/RSA
12:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1  Native DES    SHA    EDH/RSA
13:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.1  Native DES    SHA    EDH/RSA
14:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.2  Native DES    SHA    EDH/RSA
15:  22 DHE-RSA-DES-CBC3-SHA            192  DTLS1  Native DES    SHA    EDH/RSA
    • Moinul_Rony's avatar
      Moinul_Rony
      Icon for Altostratus rankAltostratus
      Apr 27, 2015
      Thanks. But its not working. Using DHE:!SSLv3 - downgrades to a B, with Cipher Strength going down to 60. Using Native I get a 'F' ~ tmm --clientcipher 'NATIVE:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 12: 9 DES-CBC-SHA 64 TLS1 Native DES SHA RSA 13: 9 DES-CBC-SHA 64 TLS1.1 Native DES SHA RSA 14: 9 DES-CBC-SHA 64 TLS1.2 Native DES SHA RSA 15: 9 DES-CBC-SHA 64 DTLS1 Native DES SHA RSA 16: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 17: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 18: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 19: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA 20: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 21: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 22: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 23: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA 24: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA 25: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA 26: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA 27: 21 DHE-RSA-DES-CBC-SHA 64 DTLS1 Native DES SHA EDH/RSA 28: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA 29: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA 30: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA 31: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Native DES SHA EDH/RSA 32: 98 EXP1024-DES-CBC-SHA 56 TLS1 Native DES SHA RSA 33: 98 EXP1024-DES-CBC-SHA 56 TLS1.1 Native DES SHA RSA 34: 98 EXP1024-DES-CBC-SHA 56 TLS1.2 Native DES SHA RSA 35: 98 EXP1024-DES-CBC-SHA 56 DTLS1 Native DES SHA RSA 36: 8 EXP-DES-CBC-SHA 40 TLS1 Native DES SHA RSA 37: 8 EXP-DES-CBC-SHA 40 TLS1.1 Native DES SHA RSA 38: 8 EXP-DES-CBC-SHA 40 TLS1.2 Native DES SHA RSA 39: 8 EXP-DES-CBC-SHA 40 DTLS1 Native DES SHA RSA 40: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 41: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA
    • uzi_260320's avatar
      uzi_260320
      Icon for Nimbostratus rankNimbostratus
      Sep 07, 2016

      Hi Moinul,

       

      Did you ever get PFS working on 11.2.1? I'm in the same situation right now and would appreciate any guidance.

       

      Thanks!