Forum Discussion

_DDD's avatar
_DDD
Icon for Nimbostratus rankNimbostratus
Jan 04, 2022

Question regarding the SSL/TLS cipher and Certificate

Hi Folks,

 

I have two question regarding SSL/TLS cipher and Certificate. We used the same ssl profile with same cipher suite on two different F5 VSs, and we tested SSL/TLS by Qualys SSL Labs. But we saw the different report. One of the website got the A grade, but the other website got the B grade, because the webpage didn't use the forward secrecy cipher suite. Why do we get the discrepancy report ?

 

The other question:

There were several WAF or Load balancer on the same network chain to handle the same traffic for the same website.

It was like there is a user send the HTTPS request through the several proxy device and final reach the website. Why the user got the certificate problem If one of the proxy which wasn't placed on the first gave the wrong ssl certificate ? Wouldn't the first proxy unit handling client side ssl handshake?

 

 

 

Regards,

Ding

 

  • Do you get the same result when you use @STRENGTH vs @SPEED in your cipher string?

  • _DDD's avatar
    _DDD
    Icon for Nimbostratus rankNimbostratus

    Hi Daniel,

     

    Thanks for the answer. For the question 1, we use the ssl profile with cipher '!SSLv2:!EXPORT:!DHE+AES-GCM:!DHE+AES:!DHE+3DES:ECDHE+AES-GCM:ECDHE+AES:RSA+AES-GCM:RSA+AES:ECDHE+3DES:RSA+3DES:-MD5:-SSLv3:-RC4:@SPEED'. But we got the two different result. Here is the report which get the B grade

     

    Same ssl profile on another VS, but it got A grade

     

    We think it's weird, so we have opened the technical support case, and they ask us to capture the traffic on client side respectively. We'll check it with Support to see what happen between the ssl handshake. Thanks again for the answer.

     

    Regards,

    Ding

    • Hi Ding,

       

      It's an odd behaviour. Please share the results with us.

       

      KR

      Daniel

  • Hi Ding,

     

    the first question is difficult to answer, without seeing the config or the report.

    Regarding your second question - the first device that does the SSL handshake with the client is important.

    Check the configuration on this device.

     

    KR

    Daniel