Forum Discussion

Adriaan's avatar
Adriaan
Icon for Nimbostratus rankNimbostratus
Jul 09, 2021

SSLv3 Cipher support

I have a old SSL client that use the following ciphers:

Secure Sockets Layer

  SSLv3 Record Layer: Handshake Protocol: Client Hello

    Content Type: Handshake (22)

    Version: SSL 3.0 (0x0300)

    Length: 49

    Handshake Protocol: Client Hello

      Handshake Type: Client Hello (1)

      Length: 45

      Version: SSL 3.0 (0x0300)

      Random

      Session ID Length: 0

      Cipher Suites Length: 6

      Cipher Suites (3 suites)

        Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

        Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

        Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

      Compression Methods Length: 1

      Compression Methods (1 method)

        Compression Method: null (0)

 

 

F5 error:

Jul 9 15:09:19 MainFrontEnd warning tmm[11852]: 01260009:4: Connection error: ssl_hs_rxhello:7527: unsupported version (40)

 

Packet trace error:

    Alert Message

      Level: Fatal (2)

      Description: Handshake Failure (40)

 

Does F5 still support these Ciphers?

 

Using "ALL" or insecure-compatibility ciphers does not do the trick:

!SSLv2:ALL:!DH:!ADH:!EDH:@SPEED

 

Ciphers on F5:

tmsh run util clientssl-ciphers SSLv3

    ID SUITE              BITS PROT  METHOD CIPHER  MAC   KEYX

 0:  57 DHE-RSA-AES256-SHA        256 SSL3  Native AES    SHA   EDH/RSA  

 1:  56 DHE-DSS-AES256-SHA        256 SSL3  Native AES    SHA   DHE/DSS  

 2:  58 ADH-AES256-SHA          256 SSL3  Native AES    SHA   ADH    

 3:  53 AES256-SHA            256 SSL3  Native AES    SHA   RSA    

 4:  22 DHE-RSA-DES-CBC3-SHA       168 SSL3  Native DES    SHA   EDH/RSA  

 5:  27 ADH-DES-CBC3-SHA         168 SSL3  Native DES    SHA   ADH    

 6:  10 DES-CBC3-SHA           168 SSL3  Native DES    SHA   RSA    

 7:  51 DHE-RSA-AES128-SHA        128 SSL3  Native AES    SHA   EDH/RSA  

 8:  50 DHE-DSS-AES128-SHA        128 SSL3  Native AES    SHA   DHE/DSS  

 9:  52 ADH-AES128-SHA          128 SSL3  Native AES    SHA   ADH    

10:  47 AES128-SHA            128 SSL3  Native AES    SHA   RSA    

11:  24 ADH-RC4-MD5           128 SSL3  Native RC4    MD5   ADH    

12:  21 DHE-RSA-DES-CBC-SHA        64 SSL3  Native DES    SHA   EDH/RSA  

13:   5 RC4-SHA             128 SSL3  Native RC4    SHA   RSA    

14:   4 RC4-MD5             128 SSL3  Native RC4    MD5   RSA    

15:  26 ADH-DES-CBC-SHA          64 SSL3  Native DES    SHA   ADH    

16:   9 DES-CBC-SHA            64 SSL3  Native DES    SHA   RSA    

17:  98 EXP1024-DES-CBC-SHA        56 SSL3  Native DES    SHA   RSA    

18:  100 EXP1024-RC4-SHA          56 SSL3  Native RC4    SHA   RSA    

19:   8 EXP-DES-CBC-SHA          40 SSL3  Native DES    SHA   RSA    

20:   3 EXP-RC4-MD5            40 SSL3  Native RC4    MD5   RSA  

 

list /sys httpd ssl-ciphersuite

sys httpd {

  ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA

}

 

list /sys httpd ssl-protocol

sys httpd {

  ssl-protocol "all -SSLv2 -SSLv3"

}

BIG-IP
ciphers
security
ssl

3 Replies

Sort By
    • Lidev's avatar
      Lidev
      Icon for Nacreous rankNacreous
      Jul 09, 2021

      You're welcome .

      If this answer was helpful, please don't forget to mark the answer as "Select as Best" in order to pass your post as resolved and help other people to find it πŸ˜‰