Forum Discussion
smp_86112
Cirrostratus
CirrostratusSpecifying Ciphers in Client SSL Profiles
We just encountered a situation where (we believe) upgrading to 10.2.0 broke SSL connections for particular clients. According to the 10.2 release notes, MD5 ciphers were taken out of the default SSL ...
smp_86112Cirrostratus
CirrostratusAfter reading SOL10262 again, I believe you're right. But if that's true, there's something I can't reconcile. The client only accepts TLS_RSA_WITH_RC4_128_MD5, which I have verified through a network trace. And according to the OpenSSL doc, TLS_RSA_WITH_RC4_128_MD5 is equivalent to RC4-MD5, which should have been accepted since RC4-MD5 is in the DEFAULT cipher list on the Client SSL Profile. But the LTM would not accept the connection.
What seems to have worked is removing !MD5 from the DEFAULT cipher list !SSLv2:ALL:!DH:!ADH:!EDH:!MD5:!EXPORT:!DES:@SPEED (according to SOL7815). In other words, this cipher list seems to have worked:
!SSLv2:ALL:!DH:!ADH:!EDH:!EXPORT:!DES:@SPEED
Does it make sense to you why LTM 10.2.0 would accept a TLS_RSA_WITH_RC4_128_MD5/RC4-MD5 cipher with this customized cipher list, but not "DEFAULT"? The only answer I can come up with is that cipher MD5 is included in DES-CBC-SHA, but I don' think that's true from what I can see in the OpenSSL doc.
