Forum Discussion
Qasim
Cirrostratus
CirrostratusRSA key exchange is obsolete. Enable an ECDHE-based cipher suite
HI,
we have recently noticed that we are getting the following error in Chrome when browsing to services hosted on F5:
Connection - obsolete connection settings
The connection to this site is encrypted and authenticated using TLS 1.2, RSA, and AES_256_GCM.
- RSA key exchange is obsolete. Enable an ECDHE-based cipher suite
now I have double checked and our F5 does have ECDHE-based ciphers suite and its a ltest version of google chrome. does any one know what might be causing this? if so, we can we fix this?
or is there anyway to prioritise certain cipher suites? instead of disabling the weak ones.
Regards,
NAGHi Qasim,
You are seeing that message as RSA is being used as key exchange algorithm. You should consider using ECDHE_RSA for key exchange instead.
Here is how I would solve it.
Requirements:
1) force the use of TLS 1.2
2) Disable RSA as Key exchange algorithm
Steps:
1) go to Client SSL profile you want to edit.
2) Select Advanced Configuration and tick customisation button for Ciphers.
3) Copy and paste the following string
DEFAULT:!TLSv1:!TLSv1_1:!TLSv1_3:!DTLSv1:!DHE:!RSA
Following is the screenshot of client SSL profile I have created to illustrate to you.
Hope this helps.
Please let me know if you have any questions.
-Nag
QasimHi Nag,
Many thanks for your help.
Kind regards,
Qasim