Forum Discussion
NimbostratusSSL profile DEFAULT ciphers LTM
Hello All,
Using SSL profile with DEFAULT ciphers configured, I supposed that the F5 LTM should use stronger ciphers in priority ? Example : Client --> LB --> Back-end The SSL client profile is configured with DEFAULT ciphers;
From the client side, I can see that the client is sending a client hello with the following cipher : Cipher Suites (4 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
So, I suppose that the F5 LB should use the stronger cipher but it seems to use the RSA as you can see here below :
The Server hello delivered by the F5 :
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
From the F5, I can see that the following ciphers are supported :
tmm --clientciphers DEFAULT | grep "TLS1 Native"
3: 57 DHE-RSA-AES256-SHA 256 TLS1 Native AES SHA EDH/RSA 8: 51 DHE-RSA-AES128-SHA 128 TLS1 Native AES SHA EDH/RSA 12: 22 DHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA EDH/RSA 19: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 24: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 28: 10 DES-CBC3-SHA 168 TLS1 Native DES SHA RSA 35: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 39: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 42: 49170 ECDHE-RSA-DES-CBC3-SHA 168 TLS1 Native DES SHA ECDHE_RSA
So, the LB should be able to use TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA instead of the RSA cipher it returned?
Is it normal ? Thanks a lot
REgards Frédéric
- JRahm
Admin
Completely normal. The default ciphers and order change from version to version. I encourage people to specify their own cipher string so that
- they have control over what's selected
- a version upgrade doesn't accidentally remove a necessary cipher
John wrote an article on improving your security score a while back and I wrote one on manipulating your cipher list as well.
