Forum Discussion
TMUI / Configuration WebUI - TLS/SSL Configuration - ECDHE
- Dec 21, 2017
But the point being is that the command sys httpd ssl-ciphersuite on 11.6.x, doesn't seem to then correctly configure Apache services to use this for the TMUI.
i understand this has been corrected in 12.0.
Hi JD,
It is possible to disable all cipher suites other than the ones using ECDHE by appending ':!kDH:!kEDH:!kRSA' (without the quotes) to your cipher string within httpd. That should disable all DH, EDH/DHE, RSA key exchange based cipher suites. We need to specify the 'k' when enabling/disabling a certain key exchange when you modify the string on httpd, as it's based on the openssl stack. When enabling/disabling them within the SSL profiles, you don't need to specify that, because that is natively built into TMM and you can simply specify ':!DHE:!DH:!RSA' (without the quotes) to disable those key exchange based cipher suites.
Please let me know if this answers your question.
Hello JD,
We do see that ECDHE based cipher suites being available on httpd for 11.6.x when I run the following command:
openssl ciphers -v 'DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP'
If you see ECDHE not working in 11.6.x, then that is likely due to the older version of mod_ssl being used there. We have since upgraded the mod_ssl package in 12.x, which is why you see it there. In any case, the answer to your question is no. We don't support updating components/packages like mod_ssl.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com