Forum Discussion

Altostratus

Apr 23, 2015

How to get Perfect Forward Secrecy ( PFS ) in v11.2.1 HF13

Hi, I have recently installed F5 v11.2.1 HF13 to remediate Poodle and RC4. Which has been done. But we still are unable to enable PFS. According to https://support.f5.com/kb/en-us/product...

Employee

Apr 24, 2015

The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.

Which CIPHER settings should I use to add PFS and achieve a A+.

i think DHE is included in 11.2.1 but it is not included in default cipher. can you try 'DHE:!SSLv3'?

[root@B4200-R77-S7:Active:Standalone] config  tmsh show sys version | head

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.1
  Build    1306.0
  Edition  Hotfix HF13
  Date     Wed Dec  3 15:05:53 PST 2014

[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DEFAULT:!SSLv3:!RC4'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
 1:  47 AES128-SHA                      128  TLS1.1  Native AES    SHA    RSA
 2:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
 3:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA
 4:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
 5:  53 AES256-SHA                      256  TLS1.1  Native AES    SHA    RSA
 6:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
 7:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
 8:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
 9:  10 DES-CBC3-SHA                    192  TLS1.1  Native DES    SHA    RSA
10:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
11:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
12:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA
13:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA
[root@B4200-R77-S7:Active:Standalone] config 
[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DHE:!SSLv3'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  51 DHE-RSA-AES128-SHA              128  TLS1  Native AES    SHA    EDH/RSA
 1:  51 DHE-RSA-AES128-SHA              128  TLS1.1  Native AES    SHA    EDH/RSA
 2:  51 DHE-RSA-AES128-SHA              128  TLS1.2  Native AES    SHA    EDH/RSA
 3:  51 DHE-RSA-AES128-SHA              128  DTLS1  Native AES    SHA    EDH/RSA
 4:  57 DHE-RSA-AES256-SHA              256  TLS1  Native AES    SHA    EDH/RSA
 5:  57 DHE-RSA-AES256-SHA              256  TLS1.1  Native AES    SHA    EDH/RSA
 6:  57 DHE-RSA-AES256-SHA              256  TLS1.2  Native AES    SHA    EDH/RSA
 7:  57 DHE-RSA-AES256-SHA              256  DTLS1  Native AES    SHA    EDH/RSA
 8:  21 DHE-RSA-DES-CBC-SHA              64  TLS1  Native DES    SHA    EDH/RSA
 9:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.1  Native DES    SHA    EDH/RSA
10:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.2  Native DES    SHA    EDH/RSA
11:  21 DHE-RSA-DES-CBC-SHA              64  DTLS1  Native DES    SHA    EDH/RSA
12:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1  Native DES    SHA    EDH/RSA
13:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.1  Native DES    SHA    EDH/RSA
14:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.2  Native DES    SHA    EDH/RSA
15:  22 DHE-RSA-DES-CBC3-SHA            192  DTLS1  Native DES    SHA    EDH/RSA

Moinul_Rony

Altostratus

Apr 27, 2015

Thanks. But its not working. Using DHE:!SSLv3 - downgrades to a B, with Cipher Strength going down to 60. Using Native I get a 'F' ~ tmm --clientcipher 'NATIVE:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 1: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 2: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 3: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 4: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 5: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 6: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 7: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 8: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 9: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 12: 9 DES-CBC-SHA 64 TLS1 Native DES SHA RSA 13: 9 DES-CBC-SHA 64 TLS1.1 Native DES SHA RSA 14: 9 DES-CBC-SHA 64 TLS1.2 Native DES SHA RSA 15: 9 DES-CBC-SHA 64 DTLS1 Native DES SHA RSA 16: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 17: 51 DHE-RSA-AES128-SHA 128 TLS1.1 Native AES SHA EDH/RSA 18: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Native AES SHA EDH/RSA 19: 51 DHE-RSA-AES128-SHA 128 DTLS1 Native AES SHA EDH/RSA 20: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 21: 57 DHE-RSA-AES256-SHA 256 TLS1.1 Native AES SHA EDH/RSA 22: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Native AES SHA EDH/RSA 23: 57 DHE-RSA-AES256-SHA 256 DTLS1 Native AES SHA EDH/RSA 24: 21 DHE-RSA-DES-CBC-SHA 64 TLS1 Native DES SHA EDH/RSA 25: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.1 Native DES SHA EDH/RSA 26: 21 DHE-RSA-DES-CBC-SHA 64 TLS1.2 Native DES SHA EDH/RSA 27: 21 DHE-RSA-DES-CBC-SHA 64 DTLS1 Native DES SHA EDH/RSA 28: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA EDH/RSA 29: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA EDH/RSA 30: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA EDH/RSA 31: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Native DES SHA EDH/RSA 32: 98 EXP1024-DES-CBC-SHA 56 TLS1 Native DES SHA RSA 33: 98 EXP1024-DES-CBC-SHA 56 TLS1.1 Native DES SHA RSA 34: 98 EXP1024-DES-CBC-SHA 56 TLS1.2 Native DES SHA RSA 35: 98 EXP1024-DES-CBC-SHA 56 DTLS1 Native DES SHA RSA 36: 8 EXP-DES-CBC-SHA 40 TLS1 Native DES SHA RSA 37: 8 EXP-DES-CBC-SHA 40 TLS1.1 Native DES SHA RSA 38: 8 EXP-DES-CBC-SHA 40 TLS1.2 Native DES SHA RSA 39: 8 EXP-DES-CBC-SHA 40 DTLS1 Native DES SHA RSA 40: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 41: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)