Forum Discussion
smp_86112
Cirrostratus
CirrostratusSpecifying Ciphers in Client SSL Profiles
We just encountered a situation where (we believe) upgrading to 10.2.0 broke SSL connections for particular clients. According to the 10.2 release notes, MD5 ciphers were taken out of the default SSL cipher list. And the clients having the problem use only the TLS_RSA_WITH_RC4_128_MD5 cipher suite, which I have validated in a network trace.
According to the OpenSSL doc, TLS_RSA_WITH_RC4_128_MD5 equates to the "RC4-MD5" cipher list which I can add to the cipher list in the Client SSL profile. What I wanted to do is simply add RC4-MD5 to the DEFAULT list of ciphers, like this:
DEFAULT:RC4-MD5
However this didn't appear to work, the handshake still fails. According to F5 doc, the DEFAULT cipher list explicitly removes MD5 ciphers:
!SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED
I've seen a prepended addition sign (+) in the cipher list in some of the documentation, but I've never seen the documentation about when you would use it. I'm wondering if there's a conflict between !MD5 in the DEFAULT cipher list and my :RC4-MD5?
Minn_62043According to this article [http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10262.html], RC4-MD5 is enabled by default, on v10.2.
You can do a basic test like this to check how server responds:openssl s_client -cipher RC4-MD5 -connect :openssl s_client -cipher RC4-SHA -connect :
smp_86112Hi Moo, yes you are right. However http://support.f5.com/kb/en-us/solu...10262.html contradicts that statement:
SOL11624: Change in Behavior: The default BIG-IP SSL profiles no longer include DES-CBC-SHA *** and ciphers containing the MD5 hash ***.
Based on what I saw in my testing, SOL11624 is correct and SOL10262 is incorrect. I have posted to the Documentation forum to get clarification: http://devcentral.f5.com/Community/...fault.aspx
Thanks for another nice reference - I hate the openssl command...