For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

smalex's avatar
smalex
Icon for Altostratus rankAltostratus
Mar 24, 2021

Selected Cipher in SSL profile

Based on security team recommendation, we need to avoid particular ciphers and include a particular cipher.

I used below line in client SSL profile.

DEFAULT:ECDHE-ECDSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA:!AES256-SHA256:!AES128-SHA256:!AES128-SHA:!DES-CBC3-SHA:!ECDHE-RSA-AES256-CBC-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-CBC-SHA:!ECDHE-RSA-DES-CBC3-SHA

I expect ECDHE-ECDSA-AES128-SHA256 to be listed, but when scanning using online tool, I do not see this particular cipher.

Below is list detected by tool:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)DH 1024 bits   FSWEAK256

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)DH 1024 bits   FSWEAK128

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)ECDH secp384r1 (eq. 7680 bits RSA)   FS256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)ECDH secp384r1 (eq. 7680 bits RSA)   FS128

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (

0xc028
)  ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK256

Software version: BIG-IP 12.1.5.3 Build 0.16.5 Engineering Hotfix

Please advise what am I missing out.

application delivery
BIG-IP
LTM
security

1 Reply

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Mar 24, 2021

    If you use the NATIVE cipher list, do you have the same issue as for 12.1 the NATIVE list by default has ECDHE-ECDSA-AES128-SHA256 in version 12.1?

     

    https://support.f5.com/csp/article/K13163