Forum Discussion

Cirrostratus

Jun 18, 2020

RSA key exchange is obsolete. Enable an ECDHE-based cipher suite

HI, we have recently noticed that we are getting the following error in Chrome when browsing to services hosted on F5: Connection - obsolete connection settings The connection to this site is...

NAG

Cirrostratus

Jun 18, 2020

Hi Qasim,

You are seeing that message as RSA is being used as key exchange algorithm. You should consider using ECDHE_RSA for key exchange instead.

Here is how I would solve it.

Requirements:

1) force the use of TLS 1.2

2) Disable RSA as Key exchange algorithm

Steps:

1) go to Client SSL profile you want to edit.

2) Select Advanced Configuration and tick customisation button for Ciphers.

3) Copy and paste the following string

DEFAULT:!TLSv1:!TLSv1_1:!TLSv1_3:!DTLSv1:!DHE:!RSA

Following is the screenshot of client SSL profile I have created to illustrate to you.

Hope this helps.

Please let me know if you have any questions.

-Nag

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

RSA key exchange is obsolete. Enable an ECDHE-based cipher suite

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

The Business Partner Exchange - An F5 Distributed Cloud Services Demonstration

Rustls with NGINX, Password Based Key Exchange, & Llama Drama

I'm Sorry Sir, You're Obsolete

Exchange 2016

MS Exchange ProxyNotShell block implemented via iRules

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS