For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Moinul_Rony's avatar
Moinul_Rony
Icon for Altostratus rankAltostratus
Apr 23, 2015

How to get Perfect Forward Secrecy ( PFS ) in v11.2.1 HF13

Hi,   I have recently installed F5 v11.2.1 HF13 to remediate Poodle and RC4. Which has been done. But we still are unable to enable PFS.   According to https://support.f5.com/kb/en-us/product...
application delivery
deployment
design
LTM
management
nitass's avatar
nitass
Icon for Employee rankEmployee
Apr 24, 2015

The CIPHER I am using is DEFAULT:!SSLv3:!RC4 to get a A-.

Which CIPHER settings should I use to add PFS and achieve a A+.

i think DHE is included in 11.2.1 but it is not included in default cipher. can you try 'DHE:!SSLv3'?

[root@B4200-R77-S7:Active:Standalone] config  tmsh show sys version | head

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.1
  Build    1306.0
  Edition  Hotfix HF13
  Date     Wed Dec  3 15:05:53 PST 2014

[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DEFAULT:!SSLv3:!RC4'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  47 AES128-SHA                      128  TLS1  Native AES    SHA    RSA
 1:  47 AES128-SHA                      128  TLS1.1  Native AES    SHA    RSA
 2:  47 AES128-SHA                      128  TLS1.2  Native AES    SHA    RSA
 3:  47 AES128-SHA                      128  DTLS1  Native AES    SHA    RSA
 4:  53 AES256-SHA                      256  TLS1  Native AES    SHA    RSA
 5:  53 AES256-SHA                      256  TLS1.1  Native AES    SHA    RSA
 6:  53 AES256-SHA                      256  TLS1.2  Native AES    SHA    RSA
 7:  53 AES256-SHA                      256  DTLS1  Native AES    SHA    RSA
 8:  10 DES-CBC3-SHA                    192  TLS1  Native DES    SHA    RSA
 9:  10 DES-CBC3-SHA                    192  TLS1.1  Native DES    SHA    RSA
10:  10 DES-CBC3-SHA                    192  TLS1.2  Native DES    SHA    RSA
11:  10 DES-CBC3-SHA                    192  DTLS1  Native DES    SHA    RSA
12:  60 AES128-SHA256                   128  TLS1.2  Native AES    SHA256 RSA
13:  61 AES256-SHA256                   256  TLS1.2  Native AES    SHA256 RSA
[root@B4200-R77-S7:Active:Standalone] config 
[root@B4200-R77-S7:Active:Standalone] config  tmm --clientcipher 'DHE:!SSLv3'
     ID SUITE                          BITS  PROT  METHOD CIPHER MAC    KEYX
 0:  51 DHE-RSA-AES128-SHA              128  TLS1  Native AES    SHA    EDH/RSA
 1:  51 DHE-RSA-AES128-SHA              128  TLS1.1  Native AES    SHA    EDH/RSA
 2:  51 DHE-RSA-AES128-SHA              128  TLS1.2  Native AES    SHA    EDH/RSA
 3:  51 DHE-RSA-AES128-SHA              128  DTLS1  Native AES    SHA    EDH/RSA
 4:  57 DHE-RSA-AES256-SHA              256  TLS1  Native AES    SHA    EDH/RSA
 5:  57 DHE-RSA-AES256-SHA              256  TLS1.1  Native AES    SHA    EDH/RSA
 6:  57 DHE-RSA-AES256-SHA              256  TLS1.2  Native AES    SHA    EDH/RSA
 7:  57 DHE-RSA-AES256-SHA              256  DTLS1  Native AES    SHA    EDH/RSA
 8:  21 DHE-RSA-DES-CBC-SHA              64  TLS1  Native DES    SHA    EDH/RSA
 9:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.1  Native DES    SHA    EDH/RSA
10:  21 DHE-RSA-DES-CBC-SHA              64  TLS1.2  Native DES    SHA    EDH/RSA
11:  21 DHE-RSA-DES-CBC-SHA              64  DTLS1  Native DES    SHA    EDH/RSA
12:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1  Native DES    SHA    EDH/RSA
13:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.1  Native DES    SHA    EDH/RSA
14:  22 DHE-RSA-DES-CBC3-SHA            192  TLS1.2  Native DES    SHA    EDH/RSA
15:  22 DHE-RSA-DES-CBC3-SHA            192  DTLS1  Native DES    SHA    EDH/RSA
uzi_260320's avatar
uzi_260320
Icon for Nimbostratus rankNimbostratus
Sep 07, 2016

Hi Moinul,

 

Did you ever get PFS working on 11.2.1? I'm in the same situation right now and would appreciate any guidance.

 

Thanks!