Forum Discussion
NimbostratusSSL Profiles - Client Side and Ciphers used.
I have a SSL parent profile ( client ) using a set of custom profiles. I've then configured 2 * SSL client side SSL profiles using this parent profile. I've then used the two SSL profiles on two separate VIPs.
When I run a SSL Server test using https://www.ssllabs.com/ssltest I'm getting a rating of B ( i.e good ) on one of the VIPs but a very poor rating of F on other other site.
The problem seems to be related to one of the SSL client side cipher being used - TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a) INSECURE
I trying to understand why this is being used, it's not in my Cipher list & even if it why is one profile fine but the other is not.
Hope this makes sense -> overall, the cipher list is listed within the parent profile which is being used in two SSL Client side profiles which seem to be behaving differently.
jaikumar_f5Noctilucent
This is due to ADH enabled in the ciphers. And there could be weaker ciphers in your ciphers list.
Try the below cipher change and test it,
TLSv1_2:!ADH:!DES:!3DES:!RC4On the other hand, can you also pull this up and share to us,
tmsh list ltm profile client-ssl ciphers
- nitass
Employee
The error that I'm getting is related to the F5 negotiating TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a)
can you try openssl s_client using that cipher to the virtual server?
openssl s_client -cipher ADH-AES256-SHA -connectps. i assume TLS_DH_anon_WITH_AES_256_CBC_SHA is ADH-AES256-SHA according to https://www.openssl.org/docs/manmaster/man1/ciphers.html
