Forum Discussion
NimbostratusTLS 1.2 and PFS on 10.2.4
Hi guys, I have a problem enabling both TLS 1.2 and PFS on a 10.2.4 unit. Using the following string should do it in theory:
COMPAT:+TLSv1_2:EDH:!MD5:!EXPORT:!ADH:!DES:!RC4:!SSLv3:@STRENGTH
And tmm --clientcipher says it does:
0: 57 DHE-RSA-AES256-SHA 256 TLS1 Compat AES SHA EDH/RSA
1: 57 DHE-RSA-AES256-SHA 256 DTLS1 Compat AES SHA EDH/RSA
2: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Compat AES SHA EDH/RSA
3: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Compat DES SHA EDH/RSA
4: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Compat DES SHA EDH/RSA
5: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Compat DES SHA EDH/RSA
6: 51 DHE-RSA-AES128-SHA 128 TLS1 Compat AES SHA EDH/RSA
7: 51 DHE-RSA-AES128-SHA 128 DTLS1 Compat AES SHA EDH/RSA
8: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Compat AES SHA EDH/RSA
However SSLlabs and other tools say that TLS 1.2 is not supported. Any idea what i'm doing wrong?
Thanks in advance.
8 Replies
What_Lies_Bene1Cirrostratus
Hmmm, TLS 1.2 support was introduced with v10.2.3 so this should work. However, I wonder if the use of COMPAT in the issue. Is there a reason you are using it?
lostmyspaceshipI'm using COMPAT because of the PFS, it seems PFS is not available in the NATIVE stack. It's strange though that with COMPAT tmm says both TLS1.2 and PFS should be there, and they aren't.
Ken_Schultz_525Wouldn't EDH:!SSLv3:!DES:@STRENGTH yield the same results as the string you used, and be simpler? (I don't have a 10.2 box to confirm)
What happens if you test using this one instead EDH+TLSv1_2:EDH:!SSLv3:!DES:@STRENGTH
- lostmyspaceshipIt seems I have to use either COMPAT, NATIVE, or DEFAULT in order to get any ciphers when I check it withe tmm. I also do not want MD5, RC4, Anon DH and Export grade. Adding all those results in my original string, except the explicit mention of TLSv1_2: COMPAT:!EXPORT:EDH:!ADH:!MD5:!RC4:!SSLv3:!DES:@STRENGTH tmm shows TLS 1.2, but SSLLabs and others still do not see it. tmm --clientcipher 'COMPAT:!EXPORT:EDH:!ADH:!MD5:!RC4:!SSLv3:!DES:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 57 DHE-RSA-AES256-SHA 256 TLS1 Compat AES SHA EDH/RSA 1: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Compat AES SHA EDH/RSA 2: 57 DHE-RSA-AES256-SHA 256 DTLS1 Compat AES SHA EDH/RSA 3: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Compat DES SHA EDH/RSA 4: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Compat DES SHA EDH/RSA 5: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Compat DES SHA EDH/RSA 6: 51 DHE-RSA-AES128-SHA 128 TLS1 Compat AES SHA EDH/RSA 7: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Compat AES SHA EDH/RSA 8: 51 DHE-RSA-AES128-SHA 128 DTLS1 Compat AES SHA EDH/RSA
- Ken_Schultz_525
So what does --clientciphers output for you with my suggested cipherstring?
- lostmyspaceshipNothing: tmm --clientcipher 'EDH:!SSLv3:!DES:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX tmm --clientcipher 'EDH+TLSv1_2:EDH:!SSLv3:!DES:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX
- lostmyspaceshipAnd with COMPAT added it adds all the other stuff that isn't needed: g tmm --clientcipher 'COMPAT:EDH:!SSLv3:!DES:@STRENGTH' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 58 ADH-AES256-SHA 256 TLS1 Compat AES SHA ADH 1: 58 ADH-AES256-SHA 256 TLS1.2 Compat AES SHA ADH 2: 58 ADH-AES256-SHA 256 DTLS1 Compat AES SHA ADH 3: 57 DHE-RSA-AES256-SHA 256 TLS1 Compat AES SHA EDH/RSA 4: 57 DHE-RSA-AES256-SHA 256 TLS1.2 Compat AES SHA EDH/RSA 5: 57 DHE-RSA-AES256-SHA 256 DTLS1 Compat AES SHA EDH/RSA 6: 27 ADH-DES-CBC3-SHA 192 TLS1 Compat DES SHA ADH 7: 27 ADH-DES-CBC3-SHA 192 TLS1.2 Compat DES SHA ADH 8: 27 ADH-DES-CBC3-SHA 192 DTLS1 Compat DES SHA ADH 9: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1 Compat DES SHA EDH/RSA 10: 22 DHE-RSA-DES-CBC3-SHA 192 TLS1.2 Compat DES SHA EDH/RSA 11: 22 DHE-RSA-DES-CBC3-SHA 192 DTLS1 Compat DES SHA EDH/RSA 12: 0 DES-CBC3-MD5 192 SSL2 Compat DES MD5 RSA 13: 24 ADH-RC4-MD5 128 TLS1 Compat RC4 MD5 ADH 14: 24 ADH-RC4-MD5 128 TLS1.2 Compat RC4 MD5 ADH 15: 52 ADH-AES128-SHA 128 TLS1 Compat AES SHA ADH 16: 52 ADH-AES128-SHA 128 TLS1.2 Compat AES SHA ADH 17: 52 ADH-AES128-SHA 128 DTLS1 Compat AES SHA ADH 18: 51 DHE-RSA-AES128-SHA 128 TLS1 Compat AES SHA EDH/RSA 19: 51 DHE-RSA-AES128-SHA 128 TLS1.2 Compat AES SHA EDH/RSA 20: 51 DHE-RSA-AES128-SHA 128 DTLS1 Compat AES SHA EDH/RSA 21: 0 RC4-MD5 128 SSL2 Compat RC4 MD5 RSA 22: 0 RC2-CBC-MD5 128 SSL2 Compat RC2 MD5 RSA 23: 0 RC4-64-MD5 64 SSL2 Compat RC4 MD5 RSA 24: 97 EXP1024-RC2-CBC-MD5 56 TLS1 Compat RC2 MD5 RSA 25: 97 EXP1024-RC2-CBC-MD5 56 TLS1.2 Compat RC2 MD5 RSA 26: 97 EXP1024-RC2-CBC-MD5 56 DTLS1 Compat RC2 MD5 RSA 27: 6 EXP-RC2-CBC-MD5 40 TLS1 Compat RC2 MD5 RSA 28: 6 EXP-RC2-CBC-MD5 40 TLS1.2 Compat RC2 MD5 RSA 29: 6 EXP-RC2-CBC-MD5 40 DTLS1 Compat RC2 MD5 RSA 30: 23 EXP-ADH-RC4-MD5 40 TLS1 Compat RC4 MD5 ADH 31: 23 EXP-ADH-RC4-MD5 40 TLS1.2 Compat RC4 MD5 ADH 32: 0 EXP-RC4-MD5 40 SSL2 Compat RC4 MD5 RSA 33: 0 EXP-RC2-CBC-MD5 40 SSL2 Compat RC2 MD5 RSA
d2_21508Hi, did you manage to fix this issue? I'm trying to do the same, no luck so far. F5 BIG IP 10.2.4 HF11
