Forum Discussion
TMUI / Configuration WebUI - TLS/SSL Configuration - ECDHE
- Dec 21, 2017
But the point being is that the command sys httpd ssl-ciphersuite on 11.6.x, doesn't seem to then correctly configure Apache services to use this for the TMUI.
i understand this has been corrected in 12.0.
Hi JD,
It is possible to disable all cipher suites other than the ones using ECDHE by appending ':!kDH:!kEDH:!kRSA' (without the quotes) to your cipher string within httpd. That should disable all DH, EDH/DHE, RSA key exchange based cipher suites. We need to specify the 'k' when enabling/disabling a certain key exchange when you modify the string on httpd, as it's based on the openssl stack. When enabling/disabling them within the SSL profiles, you don't need to specify that, because that is natively built into TMM and you can simply specify ':!DHE:!DH:!RSA' (without the quotes) to disable those key exchange based cipher suites.
Please let me know if this answers your question.
Hi Ashwin,
Absolutely, I also see openssl ciphers show the availability of ECDHE in the compiled openssl version (mentioned in original question).
But the point being is that the command
sys httpd ssl-ciphersuite
on 11.6.x, doesn't seem to then correctly configure Apache services to use this for the TMUI.
I think you're confirming my suspicions, with mod_ssl possibly being outdated.
(If you want to update your original answer, I'll mark as solved by it and accept we have to upgrade).
Thanks,
JD
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com