Forum Discussion

JD1's avatar
JD1
Icon for Altostratus rankAltostratus
Dec 13, 2017

TMUI / Configuration WebUI - TLS/SSL Configuration - ECDHE

Hi All, I'm currently using BIG-IP 11.6.2 HF1. I'm required to secure the Management WebUI ciphers offered out. I'd prefer to drop all key exchange methods except for ECDHE. However, it seems...
BIG-IP
ecdhe
security
TMOS
tmui
  • nitass's avatar
    nitass
    Dec 21, 2017

    But the point being is that the command sys httpd ssl-ciphersuite on 11.6.x, doesn't seem to then correctly configure Apache services to use this for the TMUI.

     

    i understand this has been corrected in 12.0.

     

Ashwin_Venkat's avatar
Ashwin_Venkat
Icon for Employee rankEmployee

Hi JD,

 

It is possible to disable all cipher suites other than the ones using ECDHE by appending ':!kDH:!kEDH:!kRSA' (without the quotes) to your cipher string within httpd. That should disable all DH, EDH/DHE, RSA key exchange based cipher suites. We need to specify the 'k' when enabling/disabling a certain key exchange when you modify the string on httpd, as it's based on the openssl stack. When enabling/disabling them within the SSL profiles, you don't need to specify that, because that is natively built into TMM and you can simply specify ':!DHE:!DH:!RSA' (without the quotes) to disable those key exchange based cipher suites.

 

Please let me know if this answers your question.

 

Ashwin_Venkat's avatar
Ashwin_Venkat
Icon for Employee rankEmployee
Dec 21, 2017

Hello JD,

We do see that ECDHE based cipher suites being available on httpd for 11.6.x when I run the following command:

openssl ciphers -v 'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP'

If you see ECDHE not working in 11.6.x, then that is likely due to the older version of mod_ssl being used there. We have since upgraded the mod_ssl package in 12.x, which is why you see it there. In any case, the answer to your question is no. We don't support updating components/packages like mod_ssl.