For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SOUMYA033_19840's avatar
SOUMYA033_19840
Icon for Nimbostratus rankNimbostratus
Apr 20, 2015

I am unable to configure f5 LTM for ECDHE-ECDSA support

HI , I tried configuring F5 LTM for ECDHE-ECDSA with TLS 1.2. For this purpose i used image 11.6.0. F5 never responded to my client hellos. Can anyone guide me whetehr F5 supports this cipher , ...
application delivery
LTM
kunjan_118660's avatar
kunjan_118660
Icon for Cumulonimbus rankCumulonimbus
Apr 20, 2015

What cipher list you have configured? Try 'ALL' instead of 'DEFAULT'

[root@bigip6:Eval:Active:Standalone] config  tmm --clientciphers ALL | grep ECDHE-ECDSA 
 1: 49196  ECDHE-ECDSA-AES256-GCM-SHA384    256  TLS1.2  Native  AES-GCM  SHA384  ECDHE_ECDSA
 3: 49188  ECDHE-ECDSA-AES256-SHA384        256  TLS1.2  Native  AES     SHA384  ECDHE_ECDSA
 7: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1    Native  AES     SHA     ECDHE_ECDSA
 8: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.1  Native  AES     SHA     ECDHE_ECDSA
 9: 49162  ECDHE-ECDSA-AES256-SHA           256  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
46: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1    Native  DES     SHA     ECDHE_ECDSA
47: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.1  Native  DES     SHA     ECDHE_ECDSA
48: 49160  ECDHE-ECDSA-DES-CBC3-SHA         192  TLS1.2  Native  DES     SHA     ECDHE_ECDSA
68: 49195  ECDHE-ECDSA-AES128-GCM-SHA256    128  TLS1.2  Native  AES-GCM  SHA256  ECDHE_ECDSA
70: 49187  ECDHE-ECDSA-AES128-SHA256        128  TLS1.2  Native  AES     SHA256  ECDHE_ECDSA
74: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1    Native  AES     SHA     ECDHE_ECDSA
75: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.1  Native  AES     SHA     ECDHE_ECDSA
76: 49161  ECDHE-ECDSA-AES128-SHA           128  TLS1.2  Native  AES     SHA     ECDHE_ECDSA
[root@bigip6:Eval:Active:Standalone] config  tmm --clientciphers DEFAULT | grep ECDHE-ECDSA 
[root@bigip6:Eval:Active:Standalone] config
  • SOUMYA033_19840's avatar
    SOUMYA033_19840
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2015
    I am using BIG-IP 11.6.0 Build 0.0.401 Final . I will explain you the problem which i am facing. I am importing the ECC certificates and KEY successfully in F5. After that when I am trying to add them in profile I am getting an error. !! 010717e3:3:Client SSL profile must have RSA Certificate/key pair . I am getting this error and unable to complete profile configuration .
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 22, 2015
    you can have multiple key/cert types in one clientssl profile but rsa cert/key is mandatory. Note: The profile must have an RSA certificate/key pair, and you cannot associate more than one set of the same certificate/key pair type with the profile. sol15062: Associating multiple SSL certificate/key pair types with an SSL profile https://support.f5.com/kb/en-us/solutions/public/15000/000/sol15062.html